23542300x8000000000000000651549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.690{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01C63093DF093FC284FFF8DB4D95F447,SHA256=7082677CBF837AF25C4341BC46052F6054FDA742AFF034841FE1B7626FD59867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.664{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1F9663FE36E696BED3BF3683A659CA,SHA256=0AE5F58FFD851453C74C085B4D2449C727C5DE66BCF0C492ED2A80CE58C980F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:23.035{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8420E42CC0DCC648618321E9740AD75,SHA256=FB7ABB8028BDEF551228805A168726542B54EB13EE4B497598625B0E748ACBA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:21.322{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65086-false10.0.1.12-8000- 23542300x8000000000000000651551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:24.671{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B28439DBF6ACB6B02F3DF0882D75C2,SHA256=6360CC94BBB70D43DD21C3121F306AAE6114A7932FC9224C978000DA33C8BAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:24.379{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A715B957691199EFC58894331943AAC,SHA256=ECEC75093E70D3464C85CAF21C6E3257A84BA2E2114B675FA70E4F33C01D28CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:24.379{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0961F8A9FBA72D3D7F0CA2E0C1C316,SHA256=1A2C1AE4CA07E7677A0B0C9F28AAAFEACBEF67954B20FB16B6270C63E5A3B7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:24.051{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EA8964F817E856E78594402450A409,SHA256=F986F2062154C2103B37159E39D920E11D7A48B1707E69805DC3317D8E7CA67F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.056{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65087-false10.0.1.12-8089- 23542300x8000000000000000651554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:25.676{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C57F8632D0CB1D7041F24B1E52D17A,SHA256=C64C999CCDBFFA1C7DFF1CF324FBC1162C04EF926872E7B5897BFC4C2056AD38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:25.051{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C9CCD110E6A86341CDCB90626D3A83,SHA256=BFB7CC3C2DAB87A5FE90FEA3A521B4F8A922BAFE6B98E6AF29DD730773F6FCC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.523{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.522{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000651555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:26.699{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F6061A7F9FC2F39E69FEA97E8CDD0F,SHA256=63B7B99F14E0485619F6E1D6AD0B0FA8F66C3DC37E89CCA976049BD6681912C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.957{E1BD9FC2-6886-609D-3B4E-00000000BB01}323516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.833{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:22.788{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51559-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.067{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C677A89B68A403910DE8E413D70AD86,SHA256=A33BA8BA5653423C74FFAB793D9EBE1FFCFA1E77EC38B740636969A44FD0C315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:27.744{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82562775C2DFAD35FAD1375249FA88F3,SHA256=19E9C3F068FD91861CD14EEC0AA57FF084DB936E40E616ABA5A49DC06CE51402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.958{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A715B957691199EFC58894331943AAC,SHA256=ECEC75093E70D3464C85CAF21C6E3257A84BA2E2114B675FA70E4F33C01D28CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.551{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=3182DB13C820F175ECBA57D6E9E045F2,SHA256=417F4E366ABF6C25D0C6270CC120C9284726318448E9E95A4F6BF2598AA2FED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.551{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EAEBA4013650A45DB6B5B18597D0C128,SHA256=14D91E61021BFAD21DEEEB050B7599AA1798DAEABAAE5CEC2F2B6EFD49668342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.551{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=0280BEBD018A95B9061F089A5ACC6C81,SHA256=4D1C9637C64815CF527F1AAF0823B0E21F6924C230A02C46139AB882E544946A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.489{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.334{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.067{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FE5E3E003035C8B5A710FE72A7E768,SHA256=7C2F36EC355145EAE9E15604911D79869D3084EDC6908481C3EC0E343A968A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:27.117{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD64B3BF53B2767425737B4FBCECEC9B,SHA256=F3DE390C972A70186798290A14969488F9C606DC26570CE8BBF3030AA5894B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:28.749{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3870C7CE2AB58FED1F46A522847F3CD2,SHA256=F9C795EC9981EB27243565E98351E3453F113FDEC014A52C5A468925F971F988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:28.145{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69445A7D8EC37C408709282704AF422,SHA256=30A38F5AEB8872E472DCD29A49D9615EC2D3C0BE5E5E09C17FD0BA2A477148F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:26.349{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65089-false10.0.1.12-8000- 23542300x8000000000000000651560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:29.751{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA24D578BDCE29CC76D197326F08C79,SHA256=9C5C905E5B602A960FC3DC3280AD6BBFA32538FCF34479245ED0E0992399DB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:29.348{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1571BB25193CC2CF0126D873CB192EEA,SHA256=3173924EE705FCE2265AA90815778A726E6342569E0FC99584B2930394937E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.116{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51560-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:29.082{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE8C6FB3738FA4504CB34C0FA4B04435,SHA256=D959A7285A41A60DE4CD684904279C125B3696D38FAD62F74162E5389AB9AA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:30.761{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C2EDC1B6621EAD6AC23E791E3D0618,SHA256=86EECFF9F25ABDD264C339C60ACBDE5FFE4445C22D77C666676614F9895A2A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:30.364{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409272F3D3F439BFA69D6DC65E023DAC,SHA256=12B4677E6909FF5E0D7B31759DE99996E689470DC6D6BE23CBFE9475A1648B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.850{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51561-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:31.773{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90063C741C22D29FE11AFC6BF730F4C,SHA256=F85770A67D75327031E73428BFD1FDC8EEC6566804419A5DBF81D8F325504424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:31.426{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08277084F98059A6ACDFE2489C5DD87E,SHA256=789E64E9EDCE87415020848F3D3B6E9FAF191098CCEF349ADD74E14E9D99AF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:32.442{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E96841877A602670C082E77B85C626,SHA256=0935B89F43D5AC91F6C092C03F3FFD6DA693C1DD78FDAEFCCF9BBECE85B20BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:32.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29140FD911FAC7DCBB05F462D819F7D,SHA256=02C75E53423EDC954BD4C86FA61869410584BDA02D6024628F26D6068E627EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:32.209{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=257FC3BC207D8660EAF664CFE6988F9C,SHA256=1351B8464CC525D7678FEE517A40C4BDD1EA31BAE98080C5CAE5FF586951E1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:32.208{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EF758812C4B2FD05ADAD6696A9406CF,SHA256=2CF6F18161DB1EB17A0448BDB7EA11D711BEE9EC28F092B1D33BB4A04E2BE28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:33.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E38552C1D253FE3327A52B5D51921FB,SHA256=ED00D1E449D92F6CCA484D314C4AD137670367E7B024283FB8F7D98242006958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:33.473{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A98726FF339E8F2B628F64A8173F91,SHA256=066D3D67BFCECB716CCCAA85609B3495F59912331E4F749BC99BA4A073CA660B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:33.672{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000651566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:31.438{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65090-false10.0.1.12-8000- 23542300x8000000000000000651569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:34.834{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812D314AC7EAB25979C66E11E9A52AC3,SHA256=7A27DEA99C7BB59D55B6C2CB050E7561601DD3DA7E661D15EFC108B52B1AF3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:34.504{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40682C8998D06E5DC915E8AAB37A865D,SHA256=11983F1DFFA91A268446BD99018978F2B4ED7A3C11A16B6E37B16CF2D4CE8BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:35.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C4B2DA477CE2B6C332B4120EBBAC04,SHA256=C5039082D0EA2682872706A2B8C56F0D9F263552432950AA08FE479277598B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.504{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EF8F9ED3F537825E4984DD5002CD99,SHA256=EB49BC01F707A35AF9586A490804E6E03CBF4A8394F5254FC09415200EA34CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:33.678{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51562-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.114{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=132F6AC471D021493630428E08FF2E68,SHA256=53C1F6D3B156270AD35D212D8986F52B384FAA4563C0AF1FE4527C3B76B37784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.114{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F52F90ADF90A338CEC89CBF1F2EAEE1,SHA256=FD295BF6C647A35B5B27A081BEC693C177592FC3424EE7601FF7B569D84CD21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:36.849{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FCCB315EF2E30E052069095B12BE06,SHA256=5ADEDE98595074AF1FA086E9E26EC28691603286B19FB0B7B75ACCFB474EF954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.785{E1BD9FC2-6890-609D-3F4E-00000000BB01}32561980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.661{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498B29D69B309E4445FB6239C64DDE79,SHA256=7E432B9E00F9689275FCB111C6BB3AADE2CCD4CCE1A616B55E3F2BC785213EB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.114{E1BD9FC2-688F-609D-3E4E-00000000BB01}40123940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000651575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:36.461{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65091-false10.0.1.12-8000- 23542300x8000000000000000651574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:37.861{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22DD2B275F7F362B93DD0B065E15AE9,SHA256=9DBE2CAF38F880235569443813D855F18635DAC12AE891BC30461BF195EB3173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.676{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5267416D8DAEC358F9DCFFAF83DE3E32,SHA256=E2B6042043E1CB5F1A5C58B794CBF6759269EAA64B9F2CFDE4415A9034368A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:37.226{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C6EB13C1ABB6844A0CFF5CDE873AC9A,SHA256=EDB29ABA7E58FEDAD79972469EC259A03C44C29E47CDAAF55C81B4C57A2A6C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:37.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=257FC3BC207D8660EAF664CFE6988F9C,SHA256=1351B8464CC525D7678FEE517A40C4BDD1EA31BAE98080C5CAE5FF586951E1ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.333{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.020{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=132F6AC471D021493630428E08FF2E68,SHA256=53C1F6D3B156270AD35D212D8986F52B384FAA4563C0AF1FE4527C3B76B37784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.904{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D36B57ECD749CA4FE1DCE12F4E94043,SHA256=D3AB16CE76E06F0EA8C2C97462980D1AD527DAEFD0503D1A4BAC8F76B1F4DE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.723{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF177ECE90F90A820FB61C9BBB68E1D,SHA256=04891B40A404CA5A1E46208347443E843239F69ED0916F8122D0446D232C1A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.760{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C6EB13C1ABB6844A0CFF5CDE873AC9A,SHA256=EDB29ABA7E58FEDAD79972469EC259A03C44C29E47CDAAF55C81B4C57A2A6C74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.348{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B21F89B280D9BCFEF13ADAD87DDB3BFF,SHA256=B9162AE6887C456FB5AB4C16117ED6B0DF6F1FD34F193023D4519AB5261417C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.129{E1BD9FC2-6892-609D-414E-00000000BB01}19522752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.005{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:39.915{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A710757E6ACF6220C4C3E4414FEB6F,SHA256=2B54150DFE39FA91343C7C24A15B7D7C97E00CC58B4B8E3F451CC397765421A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:39.785{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6586954B09B0DD9649BEE297A2496F92,SHA256=EADE2D17E6F5320BDFD94DA70F8FB857C4DD859780FE1FA65B3E0E59C3799D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:40.926{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060EEC3E83119C26AD5876241FB7168D,SHA256=F24F920C8182BDB81BC5A01521174A94DACA2D67696FB9D3AD43C5269A40D9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:40.817{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B9A1933F842A2FED99BB38A095BF8A,SHA256=678CA7CE5F57ABA29CF07886D195F4162AC3E92863977D50F3CFCB9A8C9EE856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:40.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB9483C1682F5F64DBB064C8DDE5B744,SHA256=B4A5B1998FAAD7EC52318E5B490AA1490A06F678CB664FE689BE7C229A646B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:41.933{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB08A45DDA3A264D0D85E351426BA60,SHA256=05E4F9C149A6CF0B19F83F8626A5840480A229D4F00F57F7781B08B7BD672D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:41.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E132BA6BCE1F66471E64CDFCDB32B938,SHA256=5716F066C17EDC6D06820610EB9C71FC98F1A1A3FA781CFEE76631BF28C0880B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.678{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51563-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:42.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DDC704C01970658C00ECB2CAEA8BAA,SHA256=A36D4E0A563E306CFAA4AB20969802EABF8D85AB0B5CD12D620D94D942213803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:42.852{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ED1694112F1DD7424A12E5F6058D18,SHA256=B9711FFDAD5D73384D8E9A0183F0E3CBE4BCF53F72AE86503B27C0BC7E714490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:43.952{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8634F74860FDFEFB1D4745A958AA5D,SHA256=EC78E30A0BFAD1D0BF23066FD890BC3C6EF2266B98804798EF252B6997ACD903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:43.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7800DC942730ADD7746C34C19113401A,SHA256=287C47ED751C5720B101347BD479A6FF37F330E9F10A9108409A264C8EDBB64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:43.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAEB29CA82B249B6F1C6795547662D9C,SHA256=BD084E384F7D74A0D4732278BCA6B6F70D2CA99AEA3AB356DCF062E59B949F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:44.883{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD437C15FAA3D4F276B456EF68AF3B4D,SHA256=7CEE2C2D03A0D66DF699D95108B8081D38D8E639289841F8C6C31FA8EBB955EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:44.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22ED7E5A4BAC70456ECCDABA6F51305B,SHA256=4071BCF275354C5FC116AC763195FD809F4AD7DA71E2102F4206ADA72E1F5070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:42.327{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65092-false10.0.1.12-8000- 23542300x8000000000000000553315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:45.883{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E165FCD203E5EDB2D279DEA89F85FF3,SHA256=F8DA152CACEE32F5464AA70DEB156863DCA943904C9AF92BBF23CCF7600E0F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:45.970{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BCC4662E2C18B956F47C0449EF05A8,SHA256=C2042B6AEE24AC865F96DED6865FC5BA52F5DD460553AF7E9352E31842D020A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:43.729{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51564-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:45.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663D009919B1129831F047DA14297F37,SHA256=810AE4E36490A2B15C482485D618E7ED43F8EF3FAC9F3D6EF375AC5ACCC94F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.982{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D4BB12B8654E38B1B6FB7F17FF5539,SHA256=E3B1274FF469B9076A420026638F87886AE5398899D518F0900B7150B94877A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:46.914{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9340BC1E4DC2D82832B3AC835C0963F,SHA256=D390A8FE473A815D8533B6A98A3D74679FDB64DE700AD6CD75A9FA203248ACD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.823{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.821{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.821{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000651625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.282{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:47.946{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8481CD84792CB7F05FA46C4DE1E688,SHA256=09F3224BCB4AB9215A94149250526A009F41DA80C9816C0BF703CDD7B620F39F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.503{7B03F3B2-689B-609D-2D53-00000000BA01}19168076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.350{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.347{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.347{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.347{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA622C2F9EA51E07777418F38C2B5C44,SHA256=541F4EB4DDFF6FD8F967D9CD6224B182717261BF1822606F2455D658791F2AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:48.961{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3467ED4ED4583A44E973718BE1C110B7,SHA256=27F7644AF04F6A82BE3BBE9E40D5967B2A6EF95E59503882BBCD6DBF49F5F7B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.625{7B03F3B2-689C-609D-2E53-00000000BA01}9044024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.451{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.447{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.356{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EE8BB118CE764E13BB03470415B244B,SHA256=CEC553C0941CA809C3B8500C1498D163112A9404FD14EE62EACEF1EB805175A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.006{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DE953EE075EC9C9B971D0A9A19FAEC,SHA256=5E9124AF2D36EE4CD9F846C07313FF6AF800C5A7F85F5DF74222A57E723EDEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:49.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B0C41DB57B11E907181B599C3603E9,SHA256=BA95655E311AA44D0189FF098CF94C4A88A0A2757573A2BD5A8895EA355CCD4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.285{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65093-false10.0.1.12-8000- 23542300x8000000000000000651666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.456{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EDF7EE6339C8508A0AFB9C08BED4716,SHA256=78C44E46033470A4F239D838E50D6A7584980A50BFF0618062F0F21583168F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.328{7B03F3B2-689D-609D-2F53-00000000BA01}76447376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.147{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.144{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.144{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.065{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF25206F213ED3ABED8E031B46D0FB03,SHA256=CC55DFC39D22376D57047A08A59ADE0174BC7E721A384D36BE70B841C03F7D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:48.776{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51565-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:50.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E946481540A6E3769E1B79E95C5B50,SHA256=7BA3835FC7F878CB9FBDAAE87F76864DB1B6D73964876D98899870824BD87B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:50.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A301E44FC6BEEFD5E960066C3D3EA3A,SHA256=D02A0E10FFAA0C9B06BDE2BBC5FE7FCDB6A582C64200CA149004BD15B0B9559F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:50.071{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E8F4DC6A18C8E9067AE17EA0F8F0C0,SHA256=D3DBDB1497BEA8C8EAC86A76D9DD9442D3C3B5F37772583059C7280BD9D05DEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.960{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.957{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000651678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.340{7B03F3B2-689F-609D-3053-00000000BA01}44204340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.179{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.175{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.175{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B522FD6281B1543339AA0D375E20A4,SHA256=A287509B0C993FB4D9C29C1D9995A77A16C7145E0206DCC30FBB1FF47901682C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:51.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092DDD91B7553544FEF9137ACD14EB0E,SHA256=22FDAA3FAC3ADF6E9BC714399BC28CD77EFF891941195A67BEB57CD62FB3BA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.872{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=19A2416E9619B0A39C1D1FAAAF22B257,SHA256=F235DAEF19539DAAAEF394A10A6EB3D392C47F06713B1FB8EF57D5167E8BD140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.411{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3FA65E4FFCFCC67B2CEAE327420729E0,SHA256=24429E696AB2A1C4FA0D7E9BA07FABCF999D5BC66F06CFF58312B5D351430732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.410{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=63F8D0876E5D37722C2544B827B22162,SHA256=819BA11C4D75BD59947211E7E84427102D3373C6E019B9849A43C1F84423C959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.408{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3CFF6B96AC3A539F304BF35B63FD0DF1,SHA256=DA495EA864F058CD9F735C3BFC7C39DEE7E37651545F3E75ECF9FB5EAA3D5F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.407{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CE42040BFEFC1826946B95C20C6F5A36,SHA256=F7ED886C1A1454869BF8268AA970A72A695324346492FBE5AE6D38EADDBAF1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.406{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=32A40D2C8217F2EA6BEDE45584C05798,SHA256=16DD526F9D96F413CF4B81DB0B5E149AC38B7E934BC69454FBAB2F8FC9CB3AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.405{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0BAB0528A2AACA4BD40FE3A489056742,SHA256=1B4619C375F8B42CECDC46F78AE1FDA8803A1571E51063142D9750E8DA13AB28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.404{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7374FC25284F854FC2EF90B290A91E44,SHA256=78DF10BC5AC0A5410009AE10504A4838775FE6BF20B2416B8429C6D9A83F9B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.403{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B0CD890591BD50F6A9E0FF4F94285DCD,SHA256=52944146A5A3E8BC9A5284992D05646197A0E8DE9F9112639230BC95488463B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.203{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A5601099EFE0294227EBA5B4C37663,SHA256=BAD6CB45757C6EDF95900BD339B69BF75F8DAA46CFFE93584726C3F83249C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.114{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70343A36838DB1495671DD885AEA8A90,SHA256=550861E34BD40CF1A57ED12C6D3CD1CE2F14E53ED76988FF9AFFEBCB95430A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:52.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A0367F980DD40BCFF383EEB274F53A,SHA256=A83730B220B86A10A5526347ACA69F70D56DB009ED135BFC4CEC7695F3971A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:53.009{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6176AA2DA1C924BFC3ADEEFFDD3189C7,SHA256=CB0F627C71CD2DABAFF520E806314B307E22A244DEE88A77D7FF4E2CF0DF47B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:53.124{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437485AE041594912838DC90FA5B801B,SHA256=C987666798B9C28BB46636F8D32E5AFF19301A2C160F5751756AB6FBCBB4A9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:54.058{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743AD8B2269A45E69B2A78A39BCBF5CE,SHA256=32D498C7B455A95D8D82C76DE411E6E0ABF0398E1A9787CBE644E39B84582642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:54.130{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8AFC70ED3E3D06B2989803E62024A23,SHA256=AC9E8D2B9157A97F4EEDF5A88B724E6F606380BA78E9E4DFBEC8FF890A3CC80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:54.129{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA4A2477BE391D7D90C6EB0DD30D937,SHA256=A5350CEE342B505964D5F2B5995F01553AAB88B2B1AD29E6CD157D20EB67EE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:55.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6008D8C81AB59BB123B5F168C0323A36,SHA256=845D3D2DDF087525468A4A448786C179A1BBA00A3D9BA8686B342206BFFC846E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:55.137{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E946481540A6E3769E1B79E95C5B50,SHA256=7BA3835FC7F878CB9FBDAAE87F76864DB1B6D73964876D98899870824BD87B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:55.059{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D320F0B312986E445A3A8C8D187E0F8,SHA256=B330E25545BCC633D7BCD34D74D3117A070673A333F3322C239EDB3F6F80C2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:53.361{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65094-false10.0.1.12-8000- 23542300x8000000000000000651703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:56.143{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2021D42F804ADF0F1FFA678C2FA90185,SHA256=7F09CC49F7E843E5E136C9AA7E2469FD9F51F8F7F795FE08845EF3FE57F5FA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:56.075{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828083796BFE056CA27CBF159B3062E4,SHA256=62266DB982154F917A167E23074BF63171777B9A4234AC70459057F231B48EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:53.778{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51566-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:57.147{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3B461651E5C6416210BFFF1625F6F2,SHA256=06F3BE329429A74BE3BDB1326E2F88C7F9589C009C5B5BE55AEE400005A3EFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:57.090{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A6D8E225213BB4BACDB2DE2C8F31FF,SHA256=74E6503E5AAAE9E48DD19244B52ADCECEFE6E544590AA124241089E4492807B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:58.106{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD83A88E9CD4FE22047301AC50471BC5,SHA256=7D706F29BA84C7C5381D73172351881601B820BB53707E3ACDE680E2A435137A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:58.718{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D2E1677B776C02E59BD7C690C943F92,SHA256=222D9318D3E8546D07D6848216D1C96858078A7EA104448DA3D090BB0C582ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:58.158{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D2326D271C2A6DB246210F586B8793,SHA256=C547AAD929115B76676C8474A47A7AE18387D649CB0CCE14226B6D1229C4FDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:59.121{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0AB755C555CFA4D00123FFB89F134C,SHA256=65F4F4A4ED74E9D5CB47AB6A55915782E710316A1AE5E739DA934287077D8235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.313{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9F644392C9CCCB8281FB63527CE54B19,SHA256=74831CB0EDA2B0F2885D944CEFF65F45C9D280D97DBDEFBDEB5FE33BD08B7EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.311{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4197EFF7F28927B9EB43FFEE86AA9200,SHA256=CEA47C3462704ED4984CAF6D189FC8614438FDB3113A2E69216C96EDA57FDEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.310{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=74020A9608C8BA2AE05264B8F86B6F79,SHA256=731BE1568D0ABBABA48CEF9951D12D00B44D2F9E9D03053A4D53E95957A70869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.309{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6701A18602DBE22B9108FC890A0A614D,SHA256=E3EDCA0A8B58444B5C8E11A708C0261E13CC1475CBD539899664634A9ECD2FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.308{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D4E9E58693815B86F3CB0EADDD206380,SHA256=816C1B600D14D4DDE61009E9CC7AC03BE9EC34AD1F055FAEA1834F80CB44A276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.307{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E60F45E220A2118D350E0315A98987BD,SHA256=AF844B91EFF9E07F6E9AF25595CFDE49AA30BFE25ADDD974ED8B546C3E4EEDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.305{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6D2288827779DA59077CBF7B956CA836,SHA256=A90C5C8A57C36588343EC95C73362C8D2CA49A9953BF33563A5929B05959E449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.304{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BFA5D6B92B45884A3F23D2E76B8EB3C1,SHA256=985614CB856BC7A90CC4F651C23D8A8E193D63D666EAD8792E12F6AF3090807E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.169{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F64F4897566B47B39FC81999D99054,SHA256=80F78157128B3A0899D9C0A06A496E18AB2E4157AF6C28E75F5BEF00764C587B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:58.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65095-false10.0.1.12-8000- 23542300x8000000000000000651716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:00.184{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFEA56039E2B05CB5A048ED0412D93C,SHA256=C2D86D9CFD586F5F5A68ABE1AF367CAEC4C554C06734D640EEBCEA67A4734571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:00.340{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC91E74FE93E86A87E8C502C0ED196B6,SHA256=1C24C9DE188C8DD9E6E08468913D5B934D414B70450997DC088D90FC24806609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:00.340{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B113D584205B0A39A171FC3BD82E10CC,SHA256=FECBAB0B09D41EA74A7674E4AFCA269395B41956EBA9B4BDFDC2B3BA6AF47477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:00.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD40F5B2C71CFB34AA08083229FDEE7A,SHA256=62D6CC4F0C39618AD14576E961CE43579198B6B150E771F34E9E2559ACE295D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:01.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414AB040E5AF01A123009C3BC1346DE7,SHA256=759F6B534E98ADC8EBD9C3B7EF600A4A2377FBE7A2060168A7CFF559EF09A96D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:58.827{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51567-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:01.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6F1660478B212D73206A5BD752ABDE,SHA256=3904162DB79FFE17BE880B4F15AE67F767B23713394A821C7030CFA60D942B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:02.210{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40358B30192FAB7039933E915293DBE,SHA256=E7CC4C983472E73ACC210F8FF4A21338D3D2D7B36B82AA23F0B70E6CF8F6D671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:02.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412078D61A8AA01F9F899C6BA3B34E6D,SHA256=20516E8320C9DCDC574676E81406F1E7002FFF3DBE342B7674EDB62F837E7DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:03.728{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B1574700E05B00DD2F11CCCDCED811,SHA256=96A6EB004779E8086FFF1374452673657D9DA8DDA998EAA69FBAA4B9010E9BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:03.727{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F80D1D6ECE82335476BAB684CB62A125,SHA256=CC394C2572FD5F9CF5E8BB860C1F3E92B8509AA14EB5E52F0AF6B3236B81EEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:03.270{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A69A7487A2241CEF50438E3DF93549A,SHA256=52F12F44FA30A479AB79423017F36EA8E2F81A045E455DCABD77657BE7BF923E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:03.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D26B477DC83BF8B850D87FCA1818980,SHA256=F59D55C34D5673343E658C98336C63433A544B4C13EABA4B4B3894A88F0BBEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:04.286{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD748E54C8DF1750779813216C8B9C7E,SHA256=528F0D8933AF119784E935BBD22A34EE78CEEBFA43806ABC6903CF0637A70CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:04.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB35C554B078E3D228F443DF5E078C1,SHA256=DAEFAFF07EEE2669E88DD5848D67041A2B32DB35BA1D760D95597EEAB4D56133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:04.358{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65096-false10.0.1.12-8000- 23542300x8000000000000000651725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:05.295{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CB94C80480FEB16799B02BF74CFFDF,SHA256=D405E505D013302F1FB89F3064EB92E21A3B505F77D60A2FB3C9354C0DD860D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:05.232{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC91E74FE93E86A87E8C502C0ED196B6,SHA256=1C24C9DE188C8DD9E6E08468913D5B934D414B70450997DC088D90FC24806609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:05.200{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FFBE6D1BD6CA30845D838D74F885CD,SHA256=4FBB84F645112B1F31BBF32F8D00316DBF61266EFE2B9A4C447092A42D385C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:05.133{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B1574700E05B00DD2F11CCCDCED811,SHA256=96A6EB004779E8086FFF1374452673657D9DA8DDA998EAA69FBAA4B9010E9BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:03.859{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51568-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:06.216{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DC41A56E4F152D89DA247CB352E392,SHA256=50C2D66D752EE3270E71BD959E53AFF9DCAD79F2AAA0CE794FB4550830279BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:06.311{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F45FD8C0342DDC8302BBAFD61C524FB,SHA256=B5E918772A701E6FE2B0F25C9858431B3C380CFCC0FF47AFBC4B7CB3D54EC49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:07.232{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8512D8D2017FD825F54F8B376260A2,SHA256=10383F78E55D780CF9F08DB803F036FD3FFBF753672A2B3B15445B386DB97D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:07.318{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4E674B1127FDCCEA47D25CB9E03932,SHA256=9B9E3ABFACD78A1BBEEA8B22508611F4A76EC4B8BF6ABDCA9E20FFDEAC4DFD6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:08.698{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7552EB87210A835B483F6BB59D3ED6C3,SHA256=2D3C45E704AF665BD4B2868011555D273DEAFBC4983EE9F1131DBB6927A4C36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:08.322{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F24AA364E2603FA3F950733727E760A,SHA256=B9DABAAB3142D1A4A17C62B591677CC7FC00C806E583F2823D03332E5B2F8B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:08.700{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ACD62475794E1DC248C6E488D3B7EC7C,SHA256=E3C02AE6DA32911861C64FCE2D03DB3E939376243BE9F11CBBB2FE0364831639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:08.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EA1CE0B894A2988B5F79E46420126,SHA256=E4CE30C464EAB109753DAF40F33E2C627BDD0549A29E892E2465D55EA92567F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:09.279{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FF7462447B9E1F87516A4782576A20,SHA256=0A9D0F5C6D820470ABC36668458A3CAD319AEFA22AF52C19DD17BF3014534F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:09.330{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5DB3CF0CDCAFB74384065763C242BB,SHA256=E81FF16112FC5119D3C65B2E52AAEE774DA46A62A9AA4FB0FA05E18608C06E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:10.294{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDA40BE2F4C2B93C1941FB08F70A074,SHA256=19470B13673A135C9C04ED67056BA3D9DF65E7E720025DA0CCBDEBB02420EAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:10.340{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E61A996A86EB4B6702A96100B6C470,SHA256=3A1A2188FDE2C581728F642A18CEFB81E0DEDA0312E8E7BF0DEBEF7B86D2184B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:09.749{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51569-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:11.325{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6008F74A92332117BDA60B0673121B3E,SHA256=E76A4B3AEA587343189BE1D698BCE94DCD7743960BC587C129D7EEA1C9DF63C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:11.325{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=565637DE58C7EB5EEC0A27153234FEC3,SHA256=0632BB9E551AA1585B895D7814897ACE678ECF0A0CD7C2D1E257C7C8CF66BC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:11.294{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DC5A2BC991CF46B66F99B67AFBA8D2,SHA256=88FB1E7D686BFCD252B95CC06AFBE28222A41282E72026912B2E6ABCFB7AFB88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:10.307{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65097-false10.0.1.12-8000- 23542300x8000000000000000651734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:11.354{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC2FF690352A3CFE9AE854E37F10DE8,SHA256=AAA7971C7B54C8944230A93B9E846D871F601ACC9014B10B4A7DC2B431065D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:11.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D7C50E329D5F09E5FE586E0047AB140,SHA256=15C8013316862DA46200E80B92DD56C74605A6B7780E2996E2544EC51C6CE8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:12.376{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B8D6C8543CE2A8B770950EB1120F1E,SHA256=C6036CEAE7E4C6FA447F6DFF781F4E63C652A01109945586FE260884AC3734BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:12.294{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50609981D96232C57539F6DCC9513BA7,SHA256=CA795CF41A5E35DD2CEFCF521D55D0B9DAF1A6E54887B709036B2057E1BDC0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:13.389{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D769D93A86D53DFF762B488332BCA81F,SHA256=1C3233133E87CF8E1BF4DB1978AE93D826D64AC145CCCBCA04FF4D86E15EE0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:13.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B14D301C37B31AADED9673BD74F0CD,SHA256=BADAF83A32E7E9A6586675984EDFBED3291F35308F9445B5FA8DD1F374D7ABB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:14.397{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070230C7E894E9119D1E28E89CDF9B21,SHA256=2591FF192D333ADC0F75C0CE4221553D8537CBDB1A40DF52BE852549C329619B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:14.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2AF8E1C973439AD72C31E10BAAFDA2,SHA256=E1AF80A2DF4679FFF5D97FE444757027AE5482D7A3521EE57923915F38A8F1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:15.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F2E5F627B267A2DB839005FC0D61B5,SHA256=4E8C53F319BCD033B3AFAFBFB9AD523CD0E9AFF3A3BA5B0AF9E406E05AD9ED95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:15.357{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9F9D70697FA6E52011ADF749D2B023,SHA256=3B78A83E93A7E47E4B35241EE8408A9DD9806C6E4E9DE57BCEC3D60DE456EF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:16.454{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB89B55D906FE017E7A09347D9C95D3,SHA256=7E1B0396B8C9645AF81FB3305D529D4A1069D1F8557B96C34E852FFFD6EC22B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:14.812{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51570-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:16.372{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF1B37188C27B947EC35927107AF92F,SHA256=32B6630F0D88C6B360534DB4992ADEE3E13A3141D01FD9E80DA0736DA82E4014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:16.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28DF47F8963AB83A86012DF560F07B65,SHA256=5435C5356BA089704B2503DA5E3C25F3B6EBF888D3AF828DABF7E080A3C030A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:16.122{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2DA36AFCA601FE712772C5077D9E12E,SHA256=C949A9D34744A21F982797886249845D045D58BDE0E60C41D29243C263EE0E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:16.200{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6008F74A92332117BDA60B0673121B3E,SHA256=E76A4B3AEA587343189BE1D698BCE94DCD7743960BC587C129D7EEA1C9DF63C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:15.355{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65098-false10.0.1.12-8000- 23542300x8000000000000000651743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:17.468{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2635E5FC738B160C15E0DD7FFD74FB,SHA256=4D700D720BCA1B5CC21210AC62AC0761D48A83CCD34A85AEB95545E47775E099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:17.404{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0F5346C72E96EEFF6FF20DEEDBAD59,SHA256=79F56C248D9EA95102F682F479BC9426E521C4B7050F0EB404D9AEB79EFAA907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:18.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28DF47F8963AB83A86012DF560F07B65,SHA256=5435C5356BA089704B2503DA5E3C25F3B6EBF888D3AF828DABF7E080A3C030A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:18.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66386F623C76D9241FFBC3254BBA1F3,SHA256=3EF1C22B8DEA53577C7096170C271A25F9A6095584BE59EBA4415286BCEC71E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:18.404{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CE83B01D2CAB5076B52717C7299F48,SHA256=4F370E75AE4984A4C53CF9A01DB85E75CBDC0C0B469518462DC1E3822683D34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:19.419{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6CAE82B8C35699196D03D1FE3371F3,SHA256=261DCBD78D013A219858954DB05DF7550076026BAE7A1EFF7877C54328300BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.499{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D4F461C6798CABBC0B5BA932B41FDC,SHA256=21E29685150642507CFAC099180763826B58656D29CC8671D70F5AAF5CCE685F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.381{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AF5B9642F3A6DF02A0B51D41E61B9B71,SHA256=58799FB4D26047360E198B71E243146BC67EF77AFAAFA61699CAE563A1B4022E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.380{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=12C2451F5536A784DB80B0F6E39EA11F,SHA256=9E00F13CB7CB0F5D9D79866E8BE12EC577079F111D6C8FBF8B87AF0B5397AE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.379{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5644CE059FBF21F30E6A94F7EA223013,SHA256=03FA6CB067F2D4786BB26494A7FE797E1288A3CA66C1EC89F3DCFB568804CE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.378{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E36FB4FBB89BEFF86D93B5709A1E8E9B,SHA256=A18D23FC6B8CBD0AD3EBA29F85BA605A82837C8F6FEC0FA0595FA96F8C77AE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.376{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=68AC10C15C7CB890FE6B470D9C82357B,SHA256=A967954E44C96A592BA7148ACB06193219A3D4D50B66646577EB7D865F54C13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.375{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E93B9B257221493751259ECA55778B63,SHA256=507B585E5D6C2F97672CA7014FCE7100D591E6E9B5C6453F88037462C1EE9ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.374{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F0FC8B0606D8F6EBCB0D6297B088A25E,SHA256=99ADCBFCDFF3E73CE20659FB0FF36B439D74B6A4EB1191EAC096F4733BE9CF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.370{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A78DFE539A7C66C286C342430CA5F3D1,SHA256=CE3A92004BC7D4BA0FB2EEF7BB642D98922D79826F3CB2EFE762DF2E4EEBDDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:20.535{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA4A814949164E48420417CB850A0EE,SHA256=8BAD57FC73C21C22CE3003DEF3E9F5C438A65C335D446FF767F5C114EC60F8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:20.435{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911811307E9D62110AF490007DB5FF84,SHA256=092ADD00FE0E2E852993B034B748C43229E9AE34B1660EE603AFCC3AA3E20857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:21.482{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D933F3C8E17424F59B1B9CE85AC7E36,SHA256=78795012D65FF2B35E479A02C024CF6A306F9F5E261166B5E6914C8ACB558BFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:20.393{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65099-false10.0.1.12-8000- 23542300x8000000000000000651758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:21.548{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477F2A7552CF5EE04A677DBFCED69228,SHA256=6A0312A741289B1F74A84D41F1627D85212F546181439029BE0D0B9042F23D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:21.175{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29652026B35491AFA74B9E2832FBBA43,SHA256=7FCB67A157FB7E57D2E9F46D3A23C8A55B743F5FD935FD2036E1E5BC9FD0FF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:20.749{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51571-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:22.497{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901349B697F563C40F8D33761FED3F50,SHA256=3A07D216D00F15D33E65ED6544B468E770DDD9F8F81FB8212DA7792276F1A3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:22.872{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:22.564{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F1D277CA3483F5C33D5CD7E64D91E0,SHA256=F0DBE3AA3EE507081114B43C9AA365050C64D9804F133C4B5687254B3518603C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:22.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49B5B01B6EEFCF627B2AC3B7A4B679A,SHA256=0710FB5B6F62050D471677BDE2CD542347E79E72CA9C2F3D30BCC21CC21C28AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:22.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF08D685D2152B667028F2C6769C8BB0,SHA256=5F37BD40E8FF2FFD41AF96AB50E1A81C5BB0EB7972EF3728895C3A9FC76FBFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:23.506{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B827BC6B9ECBB2F92F4D8C490ED583D,SHA256=7E6EFB5FD4DE33F34A8733EE18DEEFEA3B9458D81FA48A6504430DC72DBFECB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.757{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876746DC1D3BAAFB241BE57D429CA614,SHA256=EE4095B6507C06A06DEF4594B4E9A344BF268C862CFC3ADEA3386CC13F42ABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.573{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F733471C851838A530BE57FB2EA4DD,SHA256=33F389B6C058530E78BDF7A61DC7F655514010B14AF47D262BCB1A2BCE350D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:24.588{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85447495726B887DAC056FDE5C4E19C,SHA256=6DBE5CB208A0B88DD04A1B45885A27F1BB9A1EA721DCAB17F9182FA9C8180BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:24.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543E14C0BD8C94BBFBA93B7705669400,SHA256=E41FF71E8AEC32B9120D109BF6E25942661D8DA18CAA976AEDB32FE25FA62134,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.534{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65101-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.534{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65101-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.084{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65100-false10.0.1.12-8089- 23542300x8000000000000000651768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:25.625{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C561B082C2090784F5D2D062C790BE40,SHA256=4DC44342E208447404670E44A7166B5937D0104C59712DAED764188998F99823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:25.569{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920624CECA9F73BD8D26F795DB86D064,SHA256=E09A950BFD799E93B585CBC89BC30AA7DB00AC36ADCDCD2E2D2010C2FFB8EE66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:26.629{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9CA423BA9FEE87A8646E7CA10F5AFA,SHA256=1B63D58533501C656F4F7D7038E628276AD32EF048F778B523973BCCF4AC5E2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.757{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.584{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FBB1A1A61A650223405D37677AE777,SHA256=CF11864DC146D79941EB304286F985034311F49E2AC48F07234628B200AB2562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:26.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF759013B3807CC4EF1B8A996993960B,SHA256=644695D03ABD13F93BAB4FCE00DA88F0A849B88D658F086F22CFE2EABFF95D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:27.640{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE0631212CE65398B84F2CC3989F91,SHA256=421F19877FDA95F230B05FEA8EDDFD7B369D4F2A82A0265FB17954BC0A692DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:25.774{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51572-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.741{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A3936F8089BD96C914BA38B9EC5A62,SHA256=B6B8CA47607B79FEBEC795713944EA45E47F1B51C51C50A2AF6311537DEB6641,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:25.442{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65102-false10.0.1.12-8000- 23542300x8000000000000000553402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.506{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.382{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.241{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49B5B01B6EEFCF627B2AC3B7A4B679A,SHA256=0710FB5B6F62050D471677BDE2CD542347E79E72CA9C2F3D30BCC21CC21C28AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.975{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BECD4792FF5EDF44263C02955A100BB,SHA256=A18725E82C87BB9ECF8AA24E06F2BADB229F12CCC68CD7A3029CC4500DCC6EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:28.649{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B0D8BC5796A15F8A170F4E97CAB01B,SHA256=7133A5CC7A4617F4D80C3D442FF8E4BCAE29868AAFB88A8EE29FBB5C2BBFAC45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.133{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51573-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8EF254464C9F08EECD51A7220D02FF4,SHA256=96560B79D6A4D4B66ED6978C7863277E09C861AD8AA2AE23B1DC7414CDC0D55D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.178{E1BD9FC2-68C4-609D-444E-00000000BB01}908828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.054{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:29.991{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4283FD406302948E3AA423AA9B742C,SHA256=37C797DCF642C24B83BA5ED30F1530D9AF0A50F619B00318B812966051C1A94A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:29.655{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE7D3F72DFED9AD475935D42C096395,SHA256=842ED4DEA6C0F84EB1F4B4F368A25AA9CAFA5CFB8B4753C7F29C67645692C3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:30.672{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D87F81C8E1BD5CA975119BC863AC96D,SHA256=73DA0E97ED831C8BB5D76B1C390762893C64C440E86706AA6C13CAC476C1A224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:31.697{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2DE79840BD15EBD530BD559F54D3B2,SHA256=6DF4681227ADC23FB45A66D756A3F2588B48775D0302247C3B27C6D0DE403D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:31.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549BC964964AA3D896A4D66DB6D6B13A,SHA256=849FA0308C2838C5309972AB106BD642E3A99C899288A95E797C5ACABBA2A906,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:31.324{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65103-false10.0.1.12-8000- 23542300x8000000000000000651779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:32.705{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10E44A0C8B5C1AC6C6559489B45626B,SHA256=5BC6822751C1905FD2A8EC4F860A7704B5A977CBB0FF2F70C082565A2B0B152F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:32.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D970B195A162D9C8B9B8DAC0F344A6EF,SHA256=A037A8DD737FC8A5937544EF08F81BE24EF13141AB621A34EDBBBCFD86DF73F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:32.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066E00D381FB1E0755368C984E63569,SHA256=1A7F8E3C3BB3B410EBC256E97953C77442F7375E199D8FFEBD387D75577FD17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:32.092{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932A5168A066DAA35B0F516C542BD972,SHA256=28149A73F766E8B06A38D69266F63036BFAEA12B71531D2AC29FCA216F31596D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:32.091{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F378BCF98828DD7BBE98D7DD308EED43,SHA256=EDBB2C4B462164FD642554F1DF0E5F6531D686E0EB0D9AEB3593E623EA558163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:33.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB51D3106B54B24BE8FAF002DB09448B,SHA256=A5F7381A1A97BA98D3A5476503BD03AEFD935121A803042349EB9250E9AA9AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:33.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E57BE96EE96A46439832F2C3B68542E,SHA256=FDCF8816BBE6039B018DDDFEA832759D0E7BFBD833B4E4505975D8DF3723BD65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:30.774{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51574-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:34.723{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1B7C8E968F81878B27B035CC0CBD80,SHA256=016D88E98429A4EE233AACF0E83548851D3696529A5713F06387B93AE8D14C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:34.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D09B4578EF6C68DE11C525B2B7DBCBB,SHA256=E0EE40B7117ED23313EF6DE60920EA8D4D177FF7204C7D483C3486F0E6D6F8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:35.731{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D2113C594F04CB22CB59594189603C,SHA256=8E4AF65C7C9F7C10A80B86A1CBBFE8E7FF90EBA01BC539CE6725058ADD761683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679A0946299D0B37F27481A72E293617,SHA256=4E74ACEF54CB649BC7F8AF6E6F24EC14D92BAE5C16228CDD4351D1BC3AD370C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:36.764{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DE32BC44143A15EE844479D30D6ED6,SHA256=2D5B694B70B447361D20265EC104BBE58B462ED137108B54FECFFCBF665DB20A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.615{E1BD9FC2-68CC-609D-464E-00000000BB01}2052820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.492{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.256{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FDB4AFD7233A88381C1A7DE1BE6356,SHA256=DE1B2C846CC27AF8751B69822D30E0557E0A4F9904115A2DB4BA89646C86F828,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.115{E1BD9FC2-68CB-609D-454E-00000000BB01}38401876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.006{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.991{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:37.784{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20D4B9649CFD8F3C00FF53588F0DD02,SHA256=C61BC09D062187D20FB05D0C642995C0D07803E103B50D4FEE0C9E055860F426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.835{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.631{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89554617EF1C6D61BBD696F63DE19722,SHA256=7A47D3B324E6EBE71498E5FE2172D6E56C85957C3E35F27ED4687B9DDE8E037E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:37.253{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3371E14E74907A80F1A82947CF43205,SHA256=C321E47B5C952086B777DC50763F1B36EAB27FFC020C9464F2397F51243E3562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:37.252{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932A5168A066DAA35B0F516C542BD972,SHA256=28149A73F766E8B06A38D69266F63036BFAEA12B71531D2AC29FCA216F31596D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.287{E1BD9FC2-68CD-609D-474E-00000000BB01}29323560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE55DB45C835D09FBEC81AA51BA31C5E,SHA256=12E039A7CAC27CF4AD540F57B608149635B786042146EF6C686647DEFF46E1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8195804715B147CA2721ED798596E1C9,SHA256=F5A63C68BD86246E5844B4A6DE9CBA75D8ABE3CBE893F9CA4D287783F8CDBC58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.163{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000651790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:36.482{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65104-false10.0.1.12-8000- 23542300x8000000000000000651789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:38.797{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4A17AAE32F046AFA581C899CCB2A20,SHA256=698601A8B2A8E5DB0B1D499E7F47B3FDB5A01587844473A815E28FCA550C1F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:38.647{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7386120F2B9A15C08B3C9EF31EB32E5,SHA256=FC97BC8A4A269B8B4D6D2D54C5DA06E2B859FF673D67C10ACA33BDE984538551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:38.751{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3371E14E74907A80F1A82947CF43205,SHA256=C321E47B5C952086B777DC50763F1B36EAB27FFC020C9464F2397F51243E3562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:38.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE55DB45C835D09FBEC81AA51BA31C5E,SHA256=12E039A7CAC27CF4AD540F57B608149635B786042146EF6C686647DEFF46E1E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.810{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51575-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:39.799{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7889E66EE3CCAFE4D61282FC1673E554,SHA256=501B447A630918D1A9B8924E565EFF668A69848FA30B5CDCE7AA35ED55556D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:39.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA50FC4BB0F3E547E359756BE8F47250,SHA256=AA24EEA13088EDAABADCC8C1711ED5ED16016D0DF918D2779C29A108E5D83D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:40.814{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88511A5A74BEF7C7E17F93C6A686DC4A,SHA256=1F8A0BE3E2451689C2D7A79A269A8B48AEA12AA5259924BD21F21691346E450D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:40.678{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63474E7A533A42780A7EF3C3D1600535,SHA256=6F34DFB79E448B4E709F53D501BD0FB9C16953C74934BB14EC518A9D82A68717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:41.832{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120D48271EB70B165E50E36C01437131,SHA256=351468FFB2A21443F1CAE30BB1A944A2B163B2B6B873FB00304C37D5014FF8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:41.678{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49373893F88ABADD72CB1494B098C65F,SHA256=875FD4857ABC19514B7CDD66EDD23962704F28819586D8E97D9865455A7ED26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:42.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867ED27AA0EDEDC936E581CDA04B1C0E,SHA256=C6518D91D98F08311725FEB87612A7D79C0FE7BB2ECC052AB8A43CA0F32BC1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:42.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45912B2685B5AA15463F6AC861EC357B,SHA256=581B5D702414A9455CE17734B129C382140695D66C88B0512E3C698A90033867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:43.859{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3584E8F0A818E77DADCBBC49E077CD,SHA256=8662DEAA104B34507FD385F6E3153F3EFFC8B49E0ACAB87C54E1CBF154A7B859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:43.729{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F45E10A1F995611B4614DE25EE0FD83,SHA256=A9B718A549D9FA7F1BDCDB1AD8A2110BE6588F61CE210317A3FE70C410D93289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:43.238{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8662FA9B53C027B75FCAB77F78161C19,SHA256=9AC34DB02DA72C2EDF4A0E1EF4A9E4E410A4F9DDACAE65BA5DF643502E2C03CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:41.727{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:43.167{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D9994021E0F61BC8122F136731AA90,SHA256=B47BBBBDBBEB28D08F5E440006A431E49E6669971148006B591329339AB4CC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:44.866{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B743D7AF070C6D22E492B7ECFD6FDC9,SHA256=B73F227078F0B9285B853EAAD1B833D742643A0BD39B4A21593624639820FF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:44.776{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52CB03BDE97F2CA90FBB29BCA841F95,SHA256=B09B10FC913A4F8CA67EB89FF6EB06DE4E4D9F2F745D614A3185E107649F7A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:44.479{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa220025.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:42.468{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65105-false10.0.1.12-8000- 23542300x8000000000000000651800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:45.877{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F11A9B80B4972FC64078DCE84C6E88,SHA256=D4D349B48D2C5065CDA9725EF2A9D6C14C93E7FB8F4ED7F940807C02DB8080FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:45.792{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41F601391E7F14BB396BB40DEEFBA02,SHA256=541B63600E00369C0392DCD46B924DCE73CB8019FC731E1FCE9367BF0DBB7D0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.936{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.934{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.934{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.885{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668174E32C798A3B45F4A430102326DA,SHA256=AE49CB20191B603796ED9BF0D95409EC5C1F9A9F726583CC18F06ECFC9500952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:46.792{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BB4675EB0280FBC24B1B6619398099,SHA256=BFA0267B772C93ACF8A76B8E412113A96352330C6829D6565A59ED5718437897,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.256{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.252{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.252{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:47.838{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E151A1324217D90A87A164FD3EF7A4A0,SHA256=DFD57EB92DE5F91205DAE4ADF1C581492E33D22F7406E2D49557EAD5247FF438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.902{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2CB9D942EA20D4E97262277F0EBCDD,SHA256=F0DAE9119048A6DEB6FAAF10A27D20C948F6FAF8495720E0565F6A7B5FDE28C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.614{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.611{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.611{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.611{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.261{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D67DE4B9EB83E8F1F74A12F24B98CC9,SHA256=3E552F71040FAEB0C9667685683F444596CD314A522832C6385DE0C4846869FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.102{7B03F3B2-68D6-609D-3353-00000000BA01}22842308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.994{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.991{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.991{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.911{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75EA90D5189755AD0CC6FE4370B1EDB,SHA256=8972413F4895C114F91FB097A0E0E317AC484FD19D6392158859BCC97AC181D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:48.854{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DE466224DC4CCB5C1B72D1914D7E8B,SHA256=C07E4D1DE78AD1DA1CE6F8F2C5A8D86A9A7E862EE5DE45A5DAE3F1480A252602,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:46.794{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51577-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:48.182{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108AFF58EDD2DB5AFE441968AF91E744,SHA256=B3A085F60473F1710531F59330B201D206844D0EDA441E48900902A9C2FCA4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:48.182{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=055FD2D435438F21BDAB75CDE6C16029,SHA256=B0C57E816AAB1322D80026920585B11A707013743948446A6360BC78C7EB0281,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.468{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65106-false10.0.1.12-8000- 23542300x8000000000000000651838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.624{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28E8B4ED7299BF1224EDAE11ADD20EA4,SHA256=DEEA61A87A23BC19A1EF56194657CD20932113D2B265A83013ED357078AE5885,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.595{7B03F3B2-68D8-609D-3553-00000000BA01}28486408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.449{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:49.924{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8CCECE1D3EEA0C5BFEF5D0B057E9BE,SHA256=8D01E31BBAE10C0094E290EA5C03ECDFB329BD30AF996195DB780B201FF1EF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:49.871{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844CBF1AC15141A5C8AB8625061D329A,SHA256=86CFFCBD5F59BDB5518AD463D2543031E43E0B4BA266D30A3A26FCA8F4DD2BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:49.138{7B03F3B2-68D8-609D-3653-00000000BA01}79087660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000651852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:50.937{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DB33B374427FECB25C600E97A6B39D,SHA256=48DE1847A3FF938FBE44B88E5584E84657D5585BC93E9D86FBECFD13D71DE05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:50.902{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE85A7B7B9E957FEDCAF674737CEAD6,SHA256=6B673530F3F696BFDAF269E15FF337B17A158F4F14FE4EDDB4021B13129A492B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:50.002{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5EFB27284D4AB8357415CD8CF9521B0,SHA256=372EF720F7CF233BC8005EB5C45675ECAEBDA543428C7C612D69B7880CA2E268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:51.981{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB8B59A917F7F99C5393D4B2E932AB6,SHA256=2AACB6F5131566931054756A8F97267792FF8296520A5FB202185D2E28E21895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.960{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.956{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.954{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC81FA3453290179B93C76F595F305F,SHA256=6EDDB619121C661E470D1E9D699C703445345E2E84AED1E92C43CB8EA5CDBE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.366{7B03F3B2-68DB-609D-3753-00000000BA01}44687276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.180{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.176{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.176{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:52.979{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028C9CE021980EE41E59A9333C665DAC,SHA256=5CB613D3F8CF6EB0FC7EA3C04DA61DAC62CC891051269DA425A19D37038952FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:52.888{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E55BB7698FAF7062E06D81B845BBA29,SHA256=03B40ED22D639B19A1F6DAE61B0A0269AE605FF69F32A2E27512DDDB73CA2990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:52.207{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA51BD60D98F8C19311474EFA305DB82,SHA256=4B84C5EE2A9D711A657DBEFE40A6980A6A766BEA31DCE9769D9BD1F9678AE905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:53.982{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23431C14090F59F22D501E2F69ACBFFC,SHA256=B69271B75A3529F1B1E56F7DC059E8036DC5D4E90EE12B7679DB339E859F2200,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:51.826{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51578-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:53.262{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF17147F55693087B311E17D7BB0BF0D,SHA256=1D9C58A196B8B5210A670203160236821B1886A688F203CEECCD69CF724DA691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:53.262{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108AFF58EDD2DB5AFE441968AF91E744,SHA256=B3A085F60473F1710531F59330B201D206844D0EDA441E48900902A9C2FCA4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:53.012{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BA5D1C052503A14DC477137ADB6D17,SHA256=4FDB92D89DB47478073CC5654ADAC8BE98CAE639BF1B59E1C5F404ED715467E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:54.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=719E1175D03C505721DFF0743FF4BE52,SHA256=19C4324E483B088C30769C12CB61FE089749146039A526D610BD4B4B93D363D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:54.012{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A866AD4C6EA63BCAA8DC15EBA7E2C7,SHA256=22CFE69369E0CEAED9F2A0766829DC1A16F22F17A3FB52DB7C0857E5FC0D11DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:55.009{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ED88D742BB874C01398DA6F23DE074,SHA256=98C6709D6800D8BB0BFCBBB2A2AA1A151EAC60685DC01A248B3DD7C6D08327B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:55.041{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8263D89EF59ADA6A07AD7D72BCA962,SHA256=F6E457BE68B1C2D5B19C8A2A0278474A996D6310074858CE630C346A8BACD0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:56.089{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5ABA3DB554CAF76FED2C51A5D21458,SHA256=48564DD8E8A2D0010A4F1C3226582D05DFD4BF2E7F70491467FDB5DC658015C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:53.287{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65107-false10.0.1.12-8000- 23542300x8000000000000000651877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:56.020{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B187A788B76B01ACDF706B65E11B3F8,SHA256=42574AC5250E81AD85A671C3AE648D57723BC868787AC0D94F4BA8061D86B0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:57.120{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E99EB273DBB7963AF27B70F580696B1,SHA256=D93FC01062D22A97621A996A4BB32D303F93E12B6FE8B3556688846F241CFB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:57.040{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E66200A400908412D55C5D09B879A64,SHA256=75AFFFD32DDD4011E934900AAE39036F93C80BA7207814732CA833AB8A3609E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:56.857{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51579-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:58.229{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF17147F55693087B311E17D7BB0BF0D,SHA256=1D9C58A196B8B5210A670203160236821B1886A688F203CEECCD69CF724DA691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:58.198{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED8B7ABE47F604CFCDD9018AD59488C,SHA256=961FAB40403483597AEA7FEB76146B4A15F6F7548E1D26C2E971FCD07E9A3E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.765{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F57BFA4C87AD23BA8D5FFED98ED1E94B,SHA256=A06C0717B690D623DAA0F000934D000B8D20638F0CA5B9A800998B458A092615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.281{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000651882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.281{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000651881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.280{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa22361a.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.046{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DAD95E1CB7101B5A5AF0BA12D22D08,SHA256=3443BB3B02B51085CB712302F5B120D199B387DC5E0B0FD7426A5DB26768A3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:59.198{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24C35230333740A89C48718B4642A1F,SHA256=9ACFDF50E17BC1EB5A14CEE1320C67A5B4CD7118C14AC73B0C395783125994E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.301{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65108-false10.0.1.12-8000- 10341000x8000000000000000651888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.272{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.272{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.272{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000651885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.058{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9FCF09EEA03BF6A68CB8CC5440E206,SHA256=045127A2A5E1CA603F00AA6E22CB166B448E58C3D511670B8936FB9AD865322C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:00.230{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7267D2E6972F5511C588C756B708EC8,SHA256=6DA3F2CD42A5825D20405D637EC2BB3D23A6293FD463ED41B911DE07810EF47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:00.105{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0719B6D90AC93E726A950D06C5B057F,SHA256=B7DB3DFDAAB671B43ACB27CD37437595A1E2A49911A6CD75E04CA5AE180A099C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:01.245{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E6975AD81300E73711E0208AD8D1D7,SHA256=E8F7389E81E1ECE8FC34261B66100855410608A39292BE22EB83659DB924BF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:01.119{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D8D01E1135886FC24503165EC10BF2,SHA256=4FE0C298D20F9DC0A4271F53A6A57DD8A23602ADC1A65D0A9821BB1FDC6FAACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:02.245{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FFB4D3AA3225C62D71DB23966E3576,SHA256=8D3F54090999A98A8E59947CA1C1EDC6E07B82517ACF87BA343211B6B6F19D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:02.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4AE572F2974579A01E3D8034275586,SHA256=4A4B08C99920EBB2BFDE50D588894F269455F909094746E3A7728C5FFDC2F803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:03.754{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB96745C5D5E19AFB0426515E5908841,SHA256=8FFB5BC9B9438CABCD7F0790CC2D1F35F278A72421E53E80E527E07B15EAB7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:03.155{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D6EAE7632C873FE77BD34481E9F199,SHA256=4DB454D581EE20D80D6250F25317C15EB20731C10DD44E47FF4B25786D1A8CEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:01.888{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51580-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:03.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571288DFD4319D9CE833B25DE3D0D2E8,SHA256=14FC2E7D8480B92B5ACCCA06C09D9877AF0D63867CBA69CC6C20C9F7D40DD41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:03.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E322B6EDA273B6F014253EF12750BE1,SHA256=9FF103D36FB0D9C04DE7DDD9F2AE1B60A72B4D772E1CAA40976DBBE3EA6E6A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:03.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5262C695D477C17DA3BE67B39FD354,SHA256=064CCBE6DC702A4A9ADEAFAFB32DBEC2A014B7310072F8C7A8A04A670808BE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:04.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDBA85098A6EBD0FBC9171E3B68AB58,SHA256=4A491BBE5B4AA4E3D78A829A39D508D97E301820DE1A059DC6421B4E8353E0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:04.275{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C666AFD0024ACBFBBA1FB186625F63,SHA256=CD443348C5B71F7FCA4DC1709351806531A530894E119356EC3AE3978EBA199C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:05.322{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44240DC9DECFD208BA00258FD2C987B,SHA256=48F43804B8202A1A52F0A7CF7D283B2F8FFAFEFEE4A2A1AC422F89C7ED2E63B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:05.171{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A646DCA4574DFABAAAB0204070A9EAB,SHA256=FB31DC46BB1942D1FB35CDA39F3AE743300D61BF85EC4920C708026E5CCFF204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:06.337{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B011C0FE55CCCCFB8018C334DEC3B9,SHA256=0C27CDD85A5F022554FD4E60017956AD5247F23E3D5EF3225ADFA90E9B7FA0BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:03.477{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65109-false10.0.1.12-8000- 23542300x8000000000000000651897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:06.180{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9330B6FB31723A63CBCC97974A5876F2,SHA256=969614EBBBAE439877882C3CD08CBE2FDC5779B6E04D2E12317074F84B30C120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:07.353{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F26A94CACE4D5BD7B94E241289F38D,SHA256=5E0F6CBC4544F5C75C32493707C8510047D2129A7D99A631356A0754160B9FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:07.184{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7DE35E9DDC2C5B753D2E1659FCD25E,SHA256=832A22379B25F3923832A682023463B7DAE28ED468090E089184757501C0AC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:08.712{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0926F5FFE42F41B31AE5A4EC1347E47A,SHA256=36E2A5C71D37C96AC4E83FFC04B88598F681860069EA7B14834AE9CBA691623C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:08.369{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89559141E48D832946DDE6C4A37948D8,SHA256=43FD8BCE1578A3A8B640CD6D405AA3F5FC5A32D3F039B17C0F682DEA7B0DD588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:08.193{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7788937D34ADD7683A8B66431033E165,SHA256=8D79541F49E0E045624099148FE2A854EC2EECD31987D310FF0DBF742599E897,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:07.699{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51581-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:09.447{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCF4768131D3E9B40E667276521F90C,SHA256=C53A326D587B01220B52F1ABA1D3C9FF94BAFBABA6022C2AF60B4A407AD9715E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.273{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2380DCA08530047E9AF397B98AE70B69,SHA256=F15B597AADFED4CFD8A60C66F334FE1F29915CD1767A8AE5494A0583ECBCD740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D720EB0F2E54B0A579F03BAE92790B,SHA256=5AEA4D0C219268A49D7C078C505DDB76FB7CA9A8A11D30140E4AE836051B473C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=004F7B7A0DE0587EECF89284495861D4,SHA256=483767CD4CFAD7653C4A013809F56E971BB0175FF9CDA79D7990765DCA0634DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4432EB1EB14FD492E3AA6927EAB3864,SHA256=F82D724EC69EC44101BD61B5FF45392F342E476EBA98680CFAA3E0A805ED14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571288DFD4319D9CE833B25DE3D0D2E8,SHA256=14FC2E7D8480B92B5ACCCA06C09D9877AF0D63867CBA69CC6C20C9F7D40DD41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:10.462{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CC07989BA58B8A3A5A287EBEF54ED2,SHA256=DEFAC2C49364F0EDA91C51CA943987608CFD192869932E1FDAD5B20A29465A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:10.396{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D720EB0F2E54B0A579F03BAE92790B,SHA256=5AEA4D0C219268A49D7C078C505DDB76FB7CA9A8A11D30140E4AE836051B473C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:08.479{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65110-false10.0.1.12-8000- 23542300x8000000000000000651904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:10.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EC7C1B3CD00E51DB63776AE4B0B057,SHA256=5F5C702F54BCE3DA7DA421C6AAD58793700E8A7B5488764088814BAC636BB969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:11.478{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD874D228C6D6D1978A25DA40BD8641,SHA256=CF9AB43A1733072E8FE2DF8C08B58CF2F17F2899511CD324749AC5872B7D7647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:11.297{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B12E6C9A320FFE6478DED2603904B14,SHA256=EFC688B4758E2A4100CD2E64F58A1651DB049DE71DC2F78024A4A988618841E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.625{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local64203- 23542300x8000000000000000651908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:12.306{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4747FCD8878CAA066CB515E7E77640B9,SHA256=F49A9A2CF72CB199D69E576F07D6FC26BA821424743C6C099036B53E4CA8AFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:12.541{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E67B654C3814027C0A74DCC24AC12FD,SHA256=C834888D35AADAA5221A5FBAD69EB74DE266B2690912C5FCA085A732C5A93DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:13.336{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93157BD5BC752FA81C11974EF3BBA75,SHA256=98FACEF8E8E46938E4B1A58BF6D32FDD8A4CDA1C49348949C5CA1382353E8092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:13.572{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21C9DA7A884FBAF575A16D079D20EF1,SHA256=D6ED95EC8401164B626DBC0EE2C891CA513F9346E5D420AD1F8E37B1B8FEC5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:14.603{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DC448FD72F3D4D6183A87CF88A135D,SHA256=587B45A813E6D94B40A39CF0264532933C7BA1FA3A1EBFBA3C2F9D99694D73C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.375{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19CF4B84D901D38CC14227818B93A22,SHA256=FEE1AB4308380C4C618311CAE3238EDB46214D0E4E558BF1AACA7A61E09D59BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000651912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.142{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000651911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=C41F79B02AF5775DDA57E176850F46B2,SHA256=51565572AFC9A4A6614168CC33EFB3368236A740DD3ADA9C76072DDD5D1BDE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:14.400{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F733171D39FF96E116996D63E5F2EF8,SHA256=D76194A8FFF4B02BA9364CE679DFCBDB38DE42242DCDACE2DF48D776ACB4F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:14.400{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4432EB1EB14FD492E3AA6927EAB3864,SHA256=F82D724EC69EC44101BD61B5FF45392F342E476EBA98680CFAA3E0A805ED14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:15.603{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD25DE3B14A9D778D06BC75802D6716,SHA256=DBE05D224E45BCE65C001BB0AF0CF77ED851222A4D5CB3F529A38615195B355E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:15.379{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBEC69F69EABD8E45251805923E9959,SHA256=6A28C6F6028C10A3CF23E67DBAF6A0156CEC3936AF6DC2D57D536CF515583AF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:12.824{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51582-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:15.057{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3119FE6223B8E389CC7F2F4CCC52FCC,SHA256=BCC4A72BBB378C03CA8B9A68FF57470761EC4DF8E531BA02F268D07E0FC89F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:16.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5302E14D98A17E5AE06D46262FB8B814,SHA256=5F2588E578588FFE2540FC9FCBFEB31199574AEDA9041F3F3E8C3FD8A927FD3E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000651920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 17:59:16.930{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000651919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 17:59:16.925{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000651918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 17:59:16.925{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000651917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:16.385{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1D90CE868E65691C90E7DE2CFAC4C4,SHA256=F6FD1F5E8CF6A4FA9E072B4024EEE481540988C989275EEB861205B1C6444981,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.295{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65111-false10.0.1.12-8000- 23542300x8000000000000000553549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:17.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75ACB1DFBE8CDA2F667325E506EA6F08,SHA256=0AE2CD1C5AC5FEDBA0C268943EC665734E2D5DB371AF0DC20A5D73FF52F64FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.394{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A677558C7DC9E8CDEEC668D361D927,SHA256=937CD6BFA60E6E27076FC30E65C2E0BF0389BEE3FF54B087D0FC5988ED1CF7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:18.712{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4032BAFF387EF29B756AE242E2D6BF0C,SHA256=A20EA9C6EEAAF6E8917DC9C03946044C1D3AADF599985607155F3ADA3AB3E795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:18.969{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B7B13ED99C2B05EBE156AF4C2E08ED,SHA256=C82F5D24C81F2B92157E425562708518B0F2847CBE87619917400AD2FA5C0274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:18.410{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377DBCD5D43C34E8DC1EEA710EC1BD21,SHA256=8BCCEF6A2303F81E6727789B84A0866DD05A5DE01A51B3AD5EB07117F16054A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.181{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65114-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.181{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65114-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.173{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65113-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.173{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65113-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.153{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65112-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000651923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.153{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65112-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000651922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:18.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97329BAFBDDE1A8611539FF9C92B1747,SHA256=976D918927EA59E3E0D5698634DF9A2D51FE85C6BD23E7D93CA92728286D6774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:19.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D321A3AC987024755B7675312E0ED1,SHA256=2F1968942976553CB2FF36EBE0F352879CF8B2EE2C9CC9DCE7E7DAD8C97D2F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:19.420{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0891214C826E75E21B17B52BD2C10AD8,SHA256=9A1B824D826E01F14D94ECE9B19A8E994E48F62846A5C29B6BC590030C4F9A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:20.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A95F383E57AEF7ECE441354B1B18C4,SHA256=98F36F20FFCAFB6F66A3FA2B750F6C6F51E8623FC40F8736434E490217587259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:20.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A529E72B1D5BB4904DBAE286804D98,SHA256=D3B7F3449004E18E9BCBFCE4494BAAD05E2F782809002D9272AFBA1E567ACE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:18.652{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51583-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:20.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779F68E29CBD3370429D997BFDA4C4F7,SHA256=5AF8022E2A5972F6F8455CD00EE45B3AD29EDC8362FAFD70C32333EE7C508220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:20.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F733171D39FF96E116996D63E5F2EF8,SHA256=D76194A8FFF4B02BA9364CE679DFCBDB38DE42242DCDACE2DF48D776ACB4F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:20.130{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24410AB9D13D99114D0960582A5980DD,SHA256=BA291171A80B8F9606273B75B1F291DF11C294C3C11279F9DD7FD460EBAD3F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:21.759{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95048DB90C6D298818F74F2536D3069,SHA256=A2568D658AE77ACED28ADDA52C8EDC6F857E379793BFF3377F4E17CFAC51E29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:21.456{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926D35A18AE6BA730635321C3810E166,SHA256=BB72CAB66B6E5B5E114C5C7B628BFB9BFB433F97824F7335A3718E17ADA1C775,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:19.362{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65115-false10.0.1.12-8000- 23542300x8000000000000000553557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:22.782{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68ACC0D56E6B25C2EE7F42E6E453A5E,SHA256=81189CC8CFCC75180AEB734CCA27F95E0F19F4D34AB28333E0D4A20626BA580C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:22.899{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:22.505{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F6641EEAC3B3892C28E0F151494FFA,SHA256=EFAC3E13D0AAB6F63FF16B194EF042A757B66205F1FD0D79362D03A0E9543ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:23.798{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6438BED8EEA6EB6D8CC54EC211004A2F,SHA256=9DEC76908FC875EDD3079ED6461F042441986412C9584F3D80A8A231331965DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.779{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3A9ACFFE0D7FFA8F562FD1F17C715DA,SHA256=1B95FED6B806FE0E9D69B5A8CDDF5DE40409D4824A04C754F3DD5935C37694B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.520{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD7D423CBB11DAABD3F5C771763539B,SHA256=2122D5F3D5BD347846A59C5C8F49542418FBE6E7294EE6808915503777D867CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:24.813{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864BA440B34AB59503E7A35A472A8F9D,SHA256=7EFD097414844AB6512F26768D3ACBB5D404D1727C16A34C3B792B68378A5D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:24.530{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C64A209F7EC52172ABD966EB5CA872,SHA256=360D6440D3CBD3D0EEB384723AA77512378E1ADB4B8D917A9BF0826E8DC0DE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:25.829{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB1C134B7660EB2FF8F937665A4AFBC,SHA256=C2BE76CF79DF75EE1496DB198EB75B541FE9514B497BA45609D15EEC26B3FDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:25.541{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18203034A2B9DBD70A36E6AB8C263E5C,SHA256=417D94D1E6BF0718AC9F90686AAD24E97B9EF621A29F6C847878FD206A9DE898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:25.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC922227C7F53153EE292AE6269850C,SHA256=E51751420B1A2DB4097493729CB64FD4B97D94D9465120EAAE65C080053ACE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:25.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779F68E29CBD3370429D997BFDA4C4F7,SHA256=5AF8022E2A5972F6F8455CD00EE45B3AD29EDC8362FAFD70C32333EE7C508220,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.543{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65117-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.543{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65117-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.116{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65116-false10.0.1.12-8089- 23542300x8000000000000000651941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:25.215{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE72D3481200EEEA5ABBF56A54F7208,SHA256=E76FE079FB35FB83B02ECD7D92F455DCBA37CACA76CAFFFF9D140B6397DAF3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.860{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA62C233A0A2E09E718F50A2433FA9D,SHA256=D8AE6E118E96B4398EA8823BE9B07BC938EEF76F67410E6621C80AA38B3EB1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:26.679{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:26.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=39AF4A3BC8B87E70AAFFE35F64C542D4,SHA256=DA12C507A408411A23BE45BE2F4A2B7D2953D4D3316E4D53841CF845DF30A096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:26.555{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B660861D8E4DF3EEEEC7B47DA71C3EF2,SHA256=8151DFAB808A193554D855CFEB3B467FC15605673A599E7A71A54A9EF01229FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000651946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:24.443{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65118-false10.0.1.12-8000- 23542300x8000000000000000553594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.860{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589F750E34EA5567470B9B1A06159755,SHA256=7E5179DA7633FD61F069483422FED715E54AF48CEC6CE00802C9E684608966AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:27.583{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3595643294BA6BB4078D1393D2E707C4,SHA256=62C16A25D8EEF56532E7BFB4F3D88CFA038926ED4E8812D45225912A946C4BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.782{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC922227C7F53153EE292AE6269850C,SHA256=E51751420B1A2DB4097493729CB64FD4B97D94D9465120EAAE65C080053ACE0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.548{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.532{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.439{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:23.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51584-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.876{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04573A10832290F11C4C48DFB48F56E4,SHA256=061053A48E2C92E5897C44CAD7F546D0E065229F15D5ACE4F7423595CE704B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:28.585{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559217D9687062BFD65D2C66EAAFE36F,SHA256=CFF824AFF37B6A0779E07D38F394B10C2C82D7B1EAD725B2FD677E8ACD3BC65A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.111{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:29.892{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9429308A46E3E60B8220036126FDB9E7,SHA256=B2A24E0F5DC315A218389246BBF845A64F930C064674F7A3474003C48D31AB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:29.600{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBDCB93AD18C70CF8BA47AE01E135D9,SHA256=C96AF7E0897E2ABC28235116F3B4DDA47C7A01C4B1137D382789864852837736,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.159{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:29.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351952D192A5FA7F3717F34EA5DB853D,SHA256=28096536DE4032A7A1B27C7FE144B1AA1DB1B32B5D0A734F04C9D1D35E36BC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:30.923{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF24B462A61A65477B30F61D3FDF3EFE,SHA256=9717606CFF059299EFC505E888452DB696C7C2BCA9008C4BD827D804590D0B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:30.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C792BF97906D7AB4F676D70CC53584,SHA256=0481DB18AE08DF04CCCE72EC8BA9F8D288C231AADF60C4C5CF2FBC6634AB0013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:30.252{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACB2C47CB9733D2AAC190A95D95C37BA,SHA256=3BDD8663D50D0D365FA3A39CCC3A67BBB7096DBCB999F6C9C2162884CEBCDF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:30.251{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D3F9398665DC6BF7E24C95B2D27AC3,SHA256=404BC84BD7729B82E3CC8108D1A2E57318F9286A021FCF46285C9368F337FAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:31.954{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A0E7AC982B77411A65ADE564C4602B,SHA256=79CAEEE8C3C42A7ECB8CA02A1AABB26714F4F9AA7BF36FCC15D0F670B872B73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:31.624{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DB2CB7EB59934A53EA4280CE763B35,SHA256=D8D38ACAC5ED4381FF886BA8FAAE6C25775FC28BC5FECCA3DAB4D0F0670F8DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:31.329{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD7937B3F7F43C5CC9AAD668EB68622,SHA256=A97AD87ED6D855A03F74EC0941CF6BAF5B703B2501F91B3E2DFA135B42CD1E9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:29.483{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65119-false10.0.1.12-8000- 23542300x8000000000000000553616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:32.985{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B4CADB90A26DC51265DA58D1BBD7CE,SHA256=629509FB1A6F4B971C1999C21E25108C54E71A805ED91B9A24D5FC52008B8590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:32.632{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA1C4FD601F75D8D28754C01AAF8B5A,SHA256=56B04B0F45BEF3F3B9F68D0A3549B377B856ABCD74F6D8B2646177004DE5EC08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:29.815{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51586-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:33.641{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8BF25C976959AAAA3E95A408D941F0,SHA256=466D05769FD4DF34D515A7AB6361C53D586D816105D053787E487ED1940AA4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:34.649{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6BB87EC00E358E6B71D3EDFD9F4F88,SHA256=EC68859B5B3AC43EC86250F6EB019E19749FB8BC5262C7154A4723EB82BB1F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:34.001{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD96F763E0274ECC9EACC953A99B0935,SHA256=7EBE4195128AEB696B69229DFCCD43AE54F0882086AD619446156543AD2E4E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:35.656{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BA10E160ED72BED206A1618A432B1F,SHA256=FD4A8B83D3CC7A1D268A513197C903B1E90FCB0BFCFF17163D823EF202A1DA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:35.032{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99C8D2F4F7F991C478D1999343CC2AE,SHA256=96941822C441B84C4680FA838AB0CDB78B8BEAC05E72B5B9CB753A4F5F9ED272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:36.675{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97697DCAD7D433D8D0001ABC8A536327,SHA256=78AC5716C425E77C03743A9A41B612186206AEC4F962E413F32E957F36AC08D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.798{E1BD9FC2-6908-609D-4D4E-00000000BB01}23441012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.674{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5198B917C35192A7DE1C31AA9E234CBF,SHA256=143667946C85713188C5B8B679BA6A48E682011DFA3B94B5C23B8196475907AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F90010E2306614F834B53AE778AAA6,SHA256=880174BAC8D841B83D738C9F5252AB509F025DF34B4588D740E983400A75559D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.126{E1BD9FC2-6908-609D-4C4E-00000000BB01}33442328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.048{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23523ABFBD88BEBACDB6C3982441C9,SHA256=639AA48E0B100215FB7237413629D9CBA6B35169519ADD877633168F636A9EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:36.184{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6083273DD3ECC7281F780240CF524B,SHA256=48C5B4D16CB6096AD3D18B96F1117CD71D09618D46229AB7DFF1DD857AD95714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:36.183{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACB2C47CB9733D2AAC190A95D95C37BA,SHA256=3BDD8663D50D0D365FA3A39CCC3A67BBB7096DBCB999F6C9C2162884CEBCDF21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.002{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:37.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB3B4D55452698E1D5CA72BEDCDD88F,SHA256=772889EA4AA989C5AFD786FE96680EEBB54D75C5D82B5EE43A897ECBC5B00934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.907{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5198B917C35192A7DE1C31AA9E234CBF,SHA256=143667946C85713188C5B8B679BA6A48E682011DFA3B94B5C23B8196475907AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:34.862{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51587-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000553663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.048{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E68295E8F0D0A69E34A165BD40F9A01,SHA256=16AC7BED65929E7302422389567C02E7C65C0A7393CDBC9BE14E7B5955F1E954,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:35.369{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65120-false10.0.1.12-8000- 23542300x8000000000000000553680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF468EC8211312517EB731A7BE7D761,SHA256=0EAE28AFDDDF8ACB65A2325B685FA0D91C2647E6FAB61CC243F84461596F96BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.142{E1BD9FC2-690A-609D-4F4E-00000000BB01}33241984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.653{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=DAE6187CCAFE3B97421BD18151EF09D8,SHA256=481BFB80D5E975B563C1259EEC036F7EC8A1ED6A4FBDBD2C9D8D6527A6E60EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.648{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.647{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=A934D3E2CFDB836D2B0E13DA7905F85D,SHA256=4ED20A2094A10C69A2B03AA62FA3CBACD0CCC958127C418B502B8C417F34E399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.647{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.646{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=61B202679AB4A90DF598E65551E44B60,SHA256=E12DE94CAE41F44DAA1ECA9CAC21BDBC8A1AEB4797CE358DC1698A4CCE147A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.644{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.644{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=0564710CA4D6578FF3276BA90AC1FFC8,SHA256=B21CCCA4FEDC84EF81801777061708CC485E50F519BA103583B2E00B9B745100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.643{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.642{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=3EC11392D120EFF88EA429D945305A23,SHA256=00A881F20202579C53597EF52C315AEF2A75B23DEAD91B21FAD0F2292CEA969A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.639{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=BFF7DF7E350A49234104FC5231FDB381,SHA256=71EC5B3701739EE7B118F82E5777807D98A1EBADD653F7C8F8E04426A5938D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.638{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.637{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.636{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=78AEEC294DABA7ECC81708E60A1662D8,SHA256=4642CD76BAC7AEF8F6BDDCA8ADF6605D8699D531E1B7D0E277A477B590726CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.635{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=CA1003AA6CC48489F362350080D68948,SHA256=7549F93D6AA5C5D8DFBD7CCCA276771236FF0045DA0E84BB6C09AE451D90BD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.634{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=AF5DD014FFE62B74AA9E4CE2732B8712,SHA256=5EB6AFDC8527DC95705FF4359B1809651ABB942C377AA2900B0EF838AA2EACF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.543{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=AD15D5D9484201E4F05E8A1F1CA457F3,SHA256=2CCC41F29A2CCB30E51C301A5C11542E1253CC69A18FED7E0178F94C4072FD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.542{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=5AB9503B46999A9800F797EC4AB0DF4B,SHA256=B972A51EAA4DB2119382F42211675BA6EB906F9D411DCF27A1F951E13FC2BAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.540{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=127FA57B63F90D6C2F0CCAA86A46F7D1,SHA256=6B10EDDF78FCEA584E0CABBBBD32887A8C989A926034E677007176968849CE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.540{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.539{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=41C9CA556B7DCF1129513126A1EDF26F,SHA256=5B06F2BDF9D864D790677DB8C3AF9A5F3B2AC7E48824026A7F794E6DBE5B4DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.538{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=54F4644CA8741D633082C577866187C6,SHA256=363791F90AD17E21CA91D6494920F008191797135756EAC79F7C4ACD94B547A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.533{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=554754424E0ABF50D2D2DD5086FB97DB,SHA256=D9777DC9A5E7969BDC5F3B73588FE08A994784E20619FE15FC212BA83C67D9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.532{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.517{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.516{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.516{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.515{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.514{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.513{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.513{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.512{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=5EB942447159BDD7EEF028E27D1B67ED,SHA256=4C7B7ADDF3C8C67C97BAFBA64E747E49EBAEC833A43FBB5112AFD08996A9685C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.511{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.510{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.509{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.508{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.507{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.506{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=E2856310152F38E03E91A22D9CB19291,SHA256=915F6E55ADBB3C5AB5747A0D2CF9E948ED62B63E79D12BDBB091F0486CD03AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.505{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=73DC8D3F53B50FB0F1F8632C9530FD92,SHA256=833AC94BC689B785FB52EC5D18E139325EFDFF464D005116AF932573580FB379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.504{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=9BC238A800DDAC970E529F57CFD2A0FA,SHA256=66692DC05E8FC8D067983F947D990FD70C59BD62D0368686252B6B2036761E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.503{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.502{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=C3CA39A668EC3B1A24B07B68FBDE811A,SHA256=090654DB89310693F427B861104C6FA2A556722DE5D88BF27D216FAE1459A7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.502{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.501{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.500{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.499{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=5969DD82BB12F93A8166E58695FA5D79,SHA256=488E9B04C2C57E2DD20C2B4CD727B182E7A60C13693299E57FD274148E7B897E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.498{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:37.457{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65121-false142.251.33.74sea09s28-in-f10.1e100.net443https 23542300x8000000000000000651973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.482{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=554754424E0ABF50D2D2DD5086FB97DB,SHA256=D9777DC9A5E7969BDC5F3B73588FE08A994784E20619FE15FC212BA83C67D9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.471{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.395{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=127FA57B63F90D6C2F0CCAA86A46F7D1,SHA256=6B10EDDF78FCEA584E0CABBBBD32887A8C989A926034E677007176968849CE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.389{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.378{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=AD15D5D9484201E4F05E8A1F1CA457F3,SHA256=2CCC41F29A2CCB30E51C301A5C11542E1253CC69A18FED7E0178F94C4072FD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.332{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.293{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6083273DD3ECC7281F780240CF524B,SHA256=48C5B4D16CB6096AD3D18B96F1117CD71D09618D46229AB7DFF1DD857AD95714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:39.220{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C531D43D20482412A2839CEE273B763A,SHA256=0655A5DF5695403512BF6E78490637D62D08F648FBA53E000D4B8D43E6FE1972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:39.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41A71775174C04BB9DD5249E9DEDC36,SHA256=064B1AFEE07ABF8CAAC7876744F53968758DFDA2B22EE720395789161F7DBC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:39.164{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:39.087{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F679363819A47C9CA5B73F4984853423,SHA256=F9053AABF6984A53B0CCCB72A919FE0930A74AA6602578A5C66C7DBB4C7A44B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:40.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538168A73D62AE100B9B4E0813CDC04A,SHA256=790D395AD4CC7DBF91148E52933B414942703CED270190D47A465534A8D8E34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:40.090{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E892D5A4B7D89C96DAE5B133EC315A,SHA256=8A7E7A5EDBA0B4DB404DD35EBD0E4A6DDFADF0DDCED70ADAE240EADD212AEF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:41.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758AB1856B44B2E767C3D375107C5213,SHA256=A2533A543E6527A5F4C84DFF14AAA9E6CE9984BC12F6E2043C0B212191253586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:41.103{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2A87628DCD1138BE28B7D37D6C4470,SHA256=384BB307D6EE88281AB566E1AD35043FBEE6573ACC44E0C87A94E4FCF1C29134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:41.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA915FF69673516077BE951C365FCBC,SHA256=981ABC750F9A53250E784B2A406F2A1BA42A1EE403A6035D0B9AD15B2840BD36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:40.737{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51588-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:42.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED2FB9C6416510EFD52EA9DF83591E7,SHA256=FD65E0D2B20C6BBA16895EB8530C6E7AA77B735E1B6169870EB1B13B17C9360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:42.204{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9D7B0401D2C1BF33D2F7B61F224740,SHA256=05B5B6FD5D80A6CE724433E05347435A2AA889BF3BF18A4679CFC451F0FBB96C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:40.459{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65122-false10.0.1.12-8000- 23542300x8000000000000000652026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:42.106{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4672DCE083A9826772160EAF972E5F9D,SHA256=8A37D2C090625299DEDB58CFC3DCB2286EE5C5D02FCD3A255386A711A6925D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:43.240{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7524B5172D7CEB7EC2783BBF2BC1F6,SHA256=E6C32AE5265ED669F3D334C526D3856272C25CBC51812576E5C3B2305D157C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:43.776{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77F5BC4B0E568347BB83C1FDCC6D02CD,SHA256=AD7A6DA81D7104C66F0D5ECE59E7119F0A502D9D3C16747C8C232418D7FC6C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:43.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BF05E813E8737D6BEC90A1DBF02183,SHA256=C0093487862D159B345D1BC2667667F184ECBF23366183848C970A7186039553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:44.255{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFB61F767E0E0ECF8A9FB8F44E38531,SHA256=358BFD9F93CC4B9411B6F154C196F24F542DF728639F80C398EBC08A44267B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:44.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEC8F8ED58B574996E42164F8C1F1FD,SHA256=F921A209262ECF38FA3457BE5BBEC74858D93D6379FE407AF68E486F0C2DDA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:45.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9FCB332AE0077F806BAC44250B0B61,SHA256=5A21CF37D93C47FB5C728F33E31A4468218751FDE920E9EBEF5BBB42E30A6119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:45.129{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962CF39DCEC4BBDDD105086C1A77978C,SHA256=E294A37D90938B62A63CBCF131F86211428CE962B7DDBE7508F66FB7604FDC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:46.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCC5FECDF4F29D741F652D5083176BC,SHA256=D4742E9F57009870102AB0777AED102DB41EA292AFE5F22F04D6E333C6832947,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.902{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.900{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.900{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.259{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.257{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.257{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.230{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FA8CAA39A44A8C84B46A9CD062565D9,SHA256=860BD54E615FA76C4B5A53321E6370633C0B37775F40E617BBFF3CBE0A0706EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24140D55CBDBC142475D536339747672,SHA256=987BCFE6FF34B63E35A1BBD553DA1BA0B0C41ECB4498B69495834DFFA6F860D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:45.773{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1FE158F021A7B7C2CD5291B2C7BF5A,SHA256=9D014995626A2244F16D2D80B421CCEBD387E8B889C045CB79AAB26ACF3486FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8AB1D520BF65480D02DF95F35104601,SHA256=2BE326442D958F282B8E9B5C4E13669530CAE50A593EC535BD8C0D9788C16F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E45CAF4057C4CA600D61D1FB26E263,SHA256=95021917EB4F17CA1409E5B0663FE01E4B50109CD0B017DB0DE4712C38729C2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:45.466{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65123-false10.0.1.12-8000- 10341000x8000000000000000652060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.457{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.455{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.455{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.426{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E43D734F62EBA0C6BD77EE53FD27D1A0,SHA256=F9A034A1B106510B1DC1D50A00A046A857D6AEC996058F986E874F93D9B8E418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.189{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93A3A6E5D2641DFAD2F1C011E13700D,SHA256=BD58B2EC6609744F14002EC7BD4102D8F3C3EACDC4657303986F9AD4FCF61459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.076{7B03F3B2-6912-609D-3A53-00000000BA01}76287720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.594{7B03F3B2-6914-609D-3C53-00000000BA01}3844164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82537A4A520055A7E3DA3193B1167DAB,SHA256=31C4CA5563E94089B3C66CCE43DCFEEA9B7D8EBC5050E2FF9C5FF5CA7DC83086,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.447{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783E9E35E0A25F4A6AADBA27524B966B,SHA256=79D9DAA3EB5BC493235126CAD7394EE26B4ED0DCF2979780BFF132401A43D0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:48.302{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E161D81A02573405EB141A165E49A891,SHA256=B1EB3239C21811F0F1E825BF49A1EC92EB7C1B77DEA8C3A5E51040891F9C222F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.609{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92643F900285117449ED34723B08DB3D,SHA256=4D411A2E6BDEDED065D7B42816FE3D9705920FBF858AC31910495C728D774996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.293{7B03F3B2-6915-609D-3D53-00000000BA01}56087320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.245{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0B20EEC354660A8E087A888857233C,SHA256=35F45A4A249AEF1D9472988609403A39F2578CF0E53B399E44590E8816397A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:49.318{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15751CE214CECB41F5D15AC54C7CAD0A,SHA256=EE075515A828005EDCBBE336AC828298CBC5889CC0598EFE64CD054BA62B444D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.114{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.111{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.111{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:49.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1FE158F021A7B7C2CD5291B2C7BF5A,SHA256=9D014995626A2244F16D2D80B421CCEBD387E8B889C045CB79AAB26ACF3486FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:50.318{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54310322FD1872715A562E5406AA872A,SHA256=5BBED3E21B7FC1DAC7C89F2DDFA9C24959D17F69596E1B77590FB075320F4E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:50.258{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E9D3A999299008A9908D6E9B024333,SHA256=ACB4A87A9BA5F2E8DB19A7ED282FC135FFE80C38223CC735B965FFD11EB8C7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.698{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-681.attackrange.local138netbios-dgm 354300x8000000000000000553699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.698{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-681.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 23542300x8000000000000000553702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:51.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B22F8F9021514CCA62118B53C6F7D1,SHA256=68C9A9C740AC6941D440475AFEE4BCBE07DE454B8BA3CCD94DC3D0B0CCE25280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.970{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.968{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.968{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.968{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:50.487{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65124-false10.0.1.12-8000- 10341000x8000000000000000652095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.352{7B03F3B2-6917-609D-3E53-00000000BA01}36327380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.292{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E44137030BD519FF0A311BF6065DD82,SHA256=4A9A5BDEC76CD9486DA367EDDC38B018CE3AC2DDAFF83CA9F92F185A025E87F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C0365CF04F3C5AEF6E6465A4109B58C,SHA256=AFFA88F58758D2AE7E6A1694B7CF560C09DBF14B10A0009B5C47530EA1B9AEC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.195{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.192{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.192{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:52.897{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0F67C8AA37B82D24D6AE555489DE64C5,SHA256=8A49931C5EF8B072DE65C94F0EE0A668E04D02B63DA13E5DD397FEE553B474DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:52.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF2E1BDB267147657EAAB4472C9394FB,SHA256=D06924BFCA983DED8E0D7BD0BAFE2667306E5AB7E2C5B848C960ECEF66C46309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:52.299{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703844016C13DDE9F6EABD533D8D73E3,SHA256=5D59B937B4116C5CE2941DBF4660A7993442DA1DC46DA719F26C8CFC629B0F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:52.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300D84224D4454BB796A6E5884310BB8,SHA256=3236CC99E432BC01B6938B6E431265118EB040714A5F0DD57C509B68A30A4C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:51.695{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:53.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7FBF48732E70915F878AB92E28BF8E,SHA256=D3F27E6E68C069BBA3CD025D4E22F7366EE75ED210C688CD7B116A3DF3444554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:53.318{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E787A587C52AE06D4240D941FAB6CF52,SHA256=37361031742831FE20F950C16BA30F5AAFA691E9AE83AD65B3CA2709D2AC36FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:53.052{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3D420B2246A5ABA3F341534B6929962,SHA256=0ECAAC89BE40A3BD5D98C91B83DEFA364B36376526FFC575AE18BACA35380D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:54.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4DCB0C4A3C7AFD0F3C882D939BE3A0,SHA256=AF8A51FF9E199F6A36AACEC1DCFFE87BE8A8F06F32F4F38EC5FC031A1FF8E00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:54.324{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6BCAFD698D7259CA42755AF3D953BA,SHA256=D0BCB410D91607F0FB4BBA0D7CBCC08D3D762044C13C74663327AB749A423130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:55.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE4C7CB0536AA053D73FF81E928F1AC,SHA256=5E9CACF2A02129579D4365D9CB6544E5FF27FC6AC33B9C607DF3C4D95B169F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:55.331{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD076558FE957E259EB98CF81EA95F0D,SHA256=DAC25274FAE00F81173C12839F0A1BD1792DDD3E9A14CC1C6351B3D97F04B7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:56.410{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26DC3F21CEAC519A6BB90AF65D561AE,SHA256=651F43F6BE7E81DAAF102583CAAAB56CC1FE0B2CA987A68F0213AFE71C1C2566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:56.350{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EC3D4B5E39D7EB13AFFD4B0A806C40,SHA256=F1225BA9E4D7E6F92DD2619DC6F0793EE3FCDBD4F701B8E32FE8F1EB6051980C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:57.426{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10200A8F36A0C4E516DECE8C8EF54EA5,SHA256=20039AFD63D74384AFED1D511B6349C3D9D4512EC8719C7B7CE6E894729C6E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:57.367{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9015DD522807CE84593145EB06B1C857,SHA256=7CEB2385EFFF721F3E034418EC9F6365B8F655337864EB40725827196F90FABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:57.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA23293C975D1E9C49FC184FA6B3FB8A,SHA256=1928E0216551E39AF7E2354AB8072C8D1601F5F019A3407C723E7F0DCF45BE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:58.489{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3D07A6CE8D7E7D32B00E1AF9DA7773,SHA256=B731EFC310B234C9BA8C1287B9A03787125478E62C91C288EEFE3F944EF6D769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:58.834{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=056DC2CE7880981CC81C0AC6666F36FE,SHA256=7B6EC84B5BC06D65F504F769FE5A0BF3F0ABDB021CE9813FB329CED8CDF6DE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:58.466{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC7883A4C7B7C02251327C823A188F2,SHA256=D1F38D6FC85C2801DE15980D7312E79611A91A6FEDE4EA811B6EEFB6BEC3D655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:58.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5C2D3CE05F4906C7CEDD1FAD9854C58,SHA256=4552213B4D3FB3BD1DA5B8BA725358DFB529AE5CB5BC97050BEF158EB3E50C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:58.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E820E9645B075EDE09B2A90335B148C,SHA256=C47BBBC6EB4F71B0D90C1DC3B4DD04F4612D2D9792A27538EE3193A2CF99DC69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:56.410{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65125-false10.0.1.12-8000- 23542300x8000000000000000553715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:59.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39377479310C13F1B7D1BCAEC3BB518A,SHA256=49BBDBE8F492622AF8113E099E2D0022F2872594399825A9D9CC28937FCF0FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:59.517{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF0714A1FA5F9A5AF95569CE707B74D,SHA256=B82AE35B077C7EF66C20539F67E76EEB6C5F2DA6C4FE0882BDA03876BB49F31A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:56.804{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51591-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000652126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6920-609D-4053-00000000BA01}3408C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-1600-00000000BA01}13046208C:\Windows\system32\svchost.exe{7B03F3B2-6920-609D-4053-00000000BA01}3408C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.595{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.595{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.573{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD681FC9C865EBEEE8393685762AF79E,SHA256=6AD19BDFD77FE02BE2C80B292A4BB71F9203A1CEF3147E2AD4479492663A7BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.536{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E28B64163AB0080B0E8D56E63F420EF,SHA256=C2563D454AAC9D515FC195281CBF61948EB52A7A93D1B8F0EC4F42DE1C34DFF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6920-609D-504E-00000000BB01}2884C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121324C:\Windows\system32\svchost.exe{E1BD9FC2-6920-609D-504E-00000000BB01}2884C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:01.614{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F363D4C8232CF13BD93DEF5DDAD3C394,SHA256=EB4FCAAA7797C1286DC2C379A7B6D153505A8B3D44D22552DF98C80D252FF740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:01.614{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEFBFA1FB56E09E994AC18B1174FA0CD,SHA256=6BF44EC72B0CA0B26F742CA22F30C8565DDF0540401880F339F5730FDD49119C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:01.739{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5C2D3CE05F4906C7CEDD1FAD9854C58,SHA256=4552213B4D3FB3BD1DA5B8BA725358DFB529AE5CB5BC97050BEF158EB3E50C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:01.536{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D3D794B855C12F776AD7842DF59566,SHA256=A4041425FD70946130086B006A4AF19D4AA3E0FD74F03A9BF2D5143DAA5A2055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:02.567{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD07B7FFD01F20F25F8396CA54E23F,SHA256=C628977324FBB8564BBAAAAD1443F90D54F785F8030CAEA87CEF89586D374B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:02.627{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5521D46BACF8B4202DB834479D684289,SHA256=4115436AF3CC4085981ABE0688AA83B2C7B0D688A123F47A18763992741B8B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:03.831{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C1A70E5EFD6B6B7087F798A1DB60BB,SHA256=A3CE35E586789EDEDBDC472338AB8A182B11FCFEBF25D0A55748AB668ADA53A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:03.636{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEC272B2605EAF13CECA201BB1A6B5A,SHA256=68B434EF2F9242485CE4C5FA356A3E6D7C9B7271ADAB2299FC6224AF1A3D8D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:03.569{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BFC7285A23FA4FC0D8DEFF9D1A0A4C,SHA256=8BFA2D48EC480263A10DCE9A48687CFB9979FF62FDB0E1EE01CD27A1AF0C2183,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:01.418{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65126-false10.0.1.12-8000- 23542300x8000000000000000553735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:04.631{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC505D678C2816F9723CA909B1321E1E,SHA256=289C60A0CF15F2BE372B4CD558E037AAC5E17F9F82D573BA400B1BD0D4986C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:04.647{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9624D723A86D79992AAD3E78FF44FD1,SHA256=035A359285CDC13F15CDBF21E007B1946C90B05E354F51AD88795B19C6125609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:04.069{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19324288249359CCAB620955392C386A,SHA256=F6E758AD7591CDD0A66359977CE3D75C011251318B1B7DDEAB0D5D7D0379567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:05.647{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EE5B74ABF229BE30E14C4EB3FC814A,SHA256=BE0FECB8F4BC9DDA2F9556A5E0C7F9170399474B57B90A275135C12790721119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:05.667{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB15BF4FBD24E2E6814DEF6899EF0439,SHA256=FE9E48AB9C565E6F8847C269A81E372A48315595F2F6E9F995CA124BCA999F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:02.680{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:06.663{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2F23A7115361AD08E4A982D6D2A047,SHA256=003B5D11399FFAC1EAAD628385D825AFBAB1F4101E682C2763DB65C9F2930CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:06.687{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB7AA0651D82A2993210CB76A075C34,SHA256=4D90FE2E4CC3CB9554471811048A7AFADBEF319C5DC9E5010159CD92ABB5F6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:07.691{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6304606C6920D0196DB31D4B109BB630,SHA256=F7B6C5F31C37266AB06D922E1FF54816E0E3EE6971E51CD142210D829658B035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:07.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE0955317BC1FA866C15CDD1C509ACC,SHA256=9DBAF3F887B36AA3EDC0D6B9847E85B67D774C06495B999EDF3A3C2F6E1B4F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:08.725{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=04663B785D24ED332A1AEB744F00A3B7,SHA256=F83E7EBE155362AD1DC107935F33E85DC3D2D4859139EC2495B503ED26A271E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:08.710{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E30C3B6CC70F68973874DF6C824D10,SHA256=A2AF23DBFAAD11EC3C3AE3A3A2930A1339AAB6A20943046E99D133FC6C527999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:08.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F567735B8BFBDC09E1A2D415FD782BC,SHA256=9C2CD9F54CBD7E27514B22BC666FF670B8A3CD3FD0FC0C2D01EED7E67E7C7883,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:07.255{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65127-false10.0.1.12-8000- 23542300x8000000000000000652137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:08.028{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9BB365CEA3CF304C1EDA89BC4232866,SHA256=55120B0E904F476472E5E3D0FE2AA5588CF86EA5185210FCC434B73D701A117C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:09.772{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342F5114B482D42651BEEB04F32B7EDD,SHA256=22265C42E53F1D2031036CACC66DAEAC3071C44785B9820F99F5013BAB5BBDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:09.727{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC60C870E5BAE5CE94F958F7B56228D0,SHA256=6BD9FD343416665B6ABF91A0F0AEEA28D1615E6FF88AD51B32587FD4B193080B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:10.736{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC114D97EADCFDE08E904E63F78A10A3,SHA256=D9FA6BA1BDAFE23BF5EA4C5D9F86791C41AA2E0D15B3CFF7139250CE84298E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:10.788{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937E26B1229697D35A98D5AB9F4CAB1D,SHA256=D7A24E3863C19A4379000BCEC1A5622BC8EA3501D92A8006ADF5CFF3019A6E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:10.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27ADE0772B8B04F97EC2CE8C7AFA6A3C,SHA256=3AEE6E23D30882C2D3DD7AAC77D6F146246D2ECE16E896EDA60F806D47074E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:10.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDCFA6B25905FC6BA4D7B6B47937D2D,SHA256=69F93518DCF09A5286418D49C5E7CD071E0336F5886DCC9B77AC6F79329D085A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:11.803{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E0F7502E44F6AF824AADB3EFAC15C3,SHA256=FF6CBAA75588B255A8637BF47841DFFCE89E901ACB13D6CEEF7C7162DA6D51FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:11.762{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE48BC63230767393ED53B856DE02F2,SHA256=D3F86EFF22C058BC71006ADA18A1C4569367CE6FC7D076FBEADA9B5FC1CB65B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:08.665{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51593-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:12.803{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06943A2372BAD54E50F73C6D1531B026,SHA256=3F261632E309DEC311792FED681A6496D5B0511C7F0D31460D7F1F173FEC8316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.925{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA47D983A577FBA3507974165BB9D42F,SHA256=98A268EC093D63ECAC403026C40E21DF344E31DD8B6DCC2CEF066DE8B66F3410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.767{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB2045FA8BB062A9D0ED32FC27F4E49,SHA256=47BCBA66C5C20379385C4FCEB131A92A859376470E212DA10D03A7D2F565F358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:13.866{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F6D73A2B9DECA183BB689C58DF08D8,SHA256=257B7408CF7C5FA1FB8733ED7E294CB86AF3C1A0ED2FABA8B0E2445561F8BBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:13.773{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61956D426164A4A54FD3036AE247CB51,SHA256=416870165C39B196420A31953034C28A114FECA250A0176A03E18A79151606E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.157{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local52294- 354300x8000000000000000652146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.157{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local55498- 354300x8000000000000000652145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.155{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54424- 23542300x8000000000000000553750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:14.897{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76ED34795CB836DE2C2275F7B1DB2D06,SHA256=374D99000428951157B9512CFA1533713D81497E0863D64B45B71F3340FC0A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:14.780{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD41D76622709DD026EDB6BEF2F970F7,SHA256=5430069296751708C4288F7971CB9BFDF85272CA43E8DC191AF3855E78929AFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.401{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65128-false10.0.1.12-8000- 23542300x8000000000000000553754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:15.913{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E864D2EC6B95838AF636C0D0D3BF1,SHA256=779819CA5AA12901FB2FEE0D8743BBBC97449DE7366FE74BCDA9AECBDF177AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:15.791{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5614EB13C7BDF4579F44C1A9F64DF58E,SHA256=E2015C9B5499C5CDCF5776D4CB321DBAD286D8C4FE506108CF702B1CCE1A11E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:13.712{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51594-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:15.085{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0F28EB918BD4D1B27B7A53260D5C0C7,SHA256=9A3E86931E3C36EEBCB479F11F90A1DBEC18472B7E4F03C38F7D9119C1363807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:15.085{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27ADE0772B8B04F97EC2CE8C7AFA6A3C,SHA256=3AEE6E23D30882C2D3DD7AAC77D6F146246D2ECE16E896EDA60F806D47074E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:16.944{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF99EBF3FACA917FD0BA81F8DC2F51C,SHA256=114C9845160C55E69E3D2CD978B03E6C42C6D22B03D5E34E9D8C47E37E6D93FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:16.798{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39B20632AD21F76FAE7A2D36ED3F08E,SHA256=ABB2361FE4E0DCB605B10D36AA76CF8D6523B1501B729857C0600D15982C5893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:17.991{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AD24BF4847F4251AE165760C2EE78E,SHA256=C5845B4E8F690B6395569E1693B6ED289C55D1E13D5194EDEDF013C1A20C0CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:17.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CF9DD64FF302DB9879A1AFADA3F57D,SHA256=412D93885CA49FE8FC45148929ED53C22034AD1CB8C3A5672EAB098A3DFE0085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:18.991{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB979D07FB194D75A5930E962320736D,SHA256=560AFAFFDA293C72474818E42446FE1B06D613F90A3C69989F3244DD4596C7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.837{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3592066698E5E817FBAF0ACDAB8450FB,SHA256=1A818174C1A34C0D2ADE16927C6A8908C7F662F2EBEFFEF6C113DA10F2E57BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.808{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=468B25ED7E3D37F35BBCC5211867033C,SHA256=5CBFD7FAC47FA057D7BA563F64D1CDA35509334F87C8FE09A4DDBEC705000A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.807{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FAFFAB691B957D77F9791C904551BE6,SHA256=BD6185592D1B1DAE23916C171B1B65B4CCEFEAA04F0466AD7E150BDA75F98064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:19.848{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0374933FF10A1C852855C6BE135A77F7,SHA256=CF636B18378DC82583F3F9DECFA199F0B65D307F77B20A24DD50A016D2A898A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:20.853{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776AADCFC50D73891EC9FE296B277D3,SHA256=0FFC1B63FED78393204D7E259D21B4935F512CB16630C5EA5E57CA721E3AD402,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.292{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65129-false10.0.1.12-8000- 354300x8000000000000000553761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:18.727{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51595-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:20.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B06AA4FAA1453966D0105F4D3F63F797,SHA256=8EC600F85E25E5244B34A8EEEFC96967B1F7DFC630C8D800ACDED82BF2173B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:20.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0F28EB918BD4D1B27B7A53260D5C0C7,SHA256=9A3E86931E3C36EEBCB479F11F90A1DBEC18472B7E4F03C38F7D9119C1363807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:20.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A578D72259D22A72C741421ADEFD373,SHA256=4815C881FE7453C0AC934F9E94A5EE44D66176CD34F0548B2B1F8EBD80C12F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:21.857{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0B3638D9FC55A3073311F7A006F0E,SHA256=66B4575419A5CCD6F31E06BCE951262FD1B3CBDEC188F57E5B93805DF268A588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:21.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D83626940868F8B1BC6394B7012B0F7,SHA256=29DFCF6379122B25F8F47E9A3514C29878DAAC8E133A4647DE0CC3CC4027F6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:22.929{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:22.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2981F3D240949D7273C32A67BC00EBFC,SHA256=39A63BFADB75B868042D6D89A5FD611C7D4802EC249AE57D6666FC5D4EF2C7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:22.069{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8531A63638D2F7451542F7881AC3BD3,SHA256=F44603064B57F04A203676769214D14F88D47C83F8C2ADCFD29791FF629A2E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75647B13CE6B034FEFF9BBDAF193B01,SHA256=39874BD905691CCB5015FFFC75022024C4EAFE6FF2158D941A819F346502AE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:23.094{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D6D192413D361600DAFBCDF4CF3D62,SHA256=BE6649569F392C444B00DD2EDE9FEA7068C96CD2079D1E19185C2CCBE305E100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0F3E31D3486E16364890729BEFDD36,SHA256=733BE029E235D454B021F2ADEE14A7CFFC65B2D332DC528D626B307D84CFF2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.815{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=468B25ED7E3D37F35BBCC5211867033C,SHA256=5CBFD7FAC47FA057D7BA563F64D1CDA35509334F87C8FE09A4DDBEC705000A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:24.903{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74F998CF3576F3181B9E95EC44C0CBA,SHA256=A0B546BBF4425780CDB263B78B2BF198A0267F0969A30C1B3407B44DB5AE9D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:24.157{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4492939FD0B6D1A538AA9A7B2A42C106,SHA256=5F538C385F02740D36BA82FB2B617E9F1E217C08B50D944BAE7EE048AB9AB438,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.142{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65130-false10.0.1.12-8089- 23542300x8000000000000000652171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:25.927{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84A7F604FF9B6715A457BB7CD3B3F73,SHA256=F0656EE11F8A659D849EF6250FCF9F1999D1A27F32017548DFB2C1A5FBE93432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:25.157{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC48A12774222D374BDBDBC85E59E26,SHA256=93404ACEB49206DEBC8884A0018C56443AAD96AE1AC6A440CCC343FDAEAB73BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.554{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65131-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.554{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65131-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:25.099{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0F3E31D3486E16364890729BEFDD36,SHA256=733BE029E235D454B021F2ADEE14A7CFFC65B2D332DC528D626B307D84CFF2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:26.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA22F13B0FA3AC962F0B42787A9A2B7,SHA256=BCC53DECF09D0637BA654998E34A6ABE351496D8546794DACF456C819244483C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.907{E1BD9FC2-693A-609D-514E-00000000BB01}20002828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:24.753{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.172{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EA0C6DF05B47F36ACD8AC15C4E25F1,SHA256=D5A53D4D5A15802453E4C7B6B87076EBE0439FB4E47FC80D00115121C536A364,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:24.328{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65132-false10.0.1.12-8000- 23542300x8000000000000000553768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.125{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEBDC2B33B411D7C6539A89EEBB711B7,SHA256=0D68E3554A8A061613158D0643125D26AD8ABA7824F2093C5A9DB4FD7ADBCC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.125{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B06AA4FAA1453966D0105F4D3F63F797,SHA256=8EC600F85E25E5244B34A8EEEFC96967B1F7DFC630C8D800ACDED82BF2173B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:27.960{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C000A52A67B7899FA4DFEA19A7971D,SHA256=BE28E35A06651573D639AE213924CA98795FB4B8AAC2401E3DE379A515698DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.844{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEBDC2B33B411D7C6539A89EEBB711B7,SHA256=0D68E3554A8A061613158D0643125D26AD8ABA7824F2093C5A9DB4FD7ADBCC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.563{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.439{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.204{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7319939DC2F916B1B551BFF65DE12654,SHA256=7E9D7C23FD7EDE42AE73CD40071A5F143DE9C6C954AA2DB2A9A7522C1DF1290A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:28.967{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1BDD0B4501E797531B9EC69A8BEB59,SHA256=FAE8D6A3F8987122BFCD3E18C266AB96860E69CD2710DBBC63A82E8384FF31D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.282{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74138D8F9166AA967E6E924A4EB6FF11,SHA256=FC6D169C56357F9584F243577406E11985D3A3C03DA52EADFD185429F3AF4989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.064{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.191{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:29.297{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F657BBA448FCD0B5F041E4CD7BDAEFC,SHA256=C529B80FFE7F050E6A8CE4E073F265E20122A29605C26AB9CF81C2825A6A0E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:29.094{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4B5E12C002987E8E9EDAA3F1C10C04,SHA256=9AFC0D5CF4B785B6A392151A3E77BBBE364813455A5E4097B42789829FDED4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:30.313{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62ADAA3FDB950EEF055C6B090BCDD49,SHA256=52309E1A62930742D743DA2F8BA5710C9459ED276620C0BCAD49784AF000F7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:30.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D906C05037E4B76545929885ABE9EFA7,SHA256=BE1B4CDF800E300B0FB24DAC4FCEDCC11D70D721397DBBD0357A881E8BB09226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:30.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F648FF92A96F7AA215C62BE6E99FE26A,SHA256=650307F38FB6B2045BFD6F303D8DACD6B7C82B55A43D970D4E3088F590751D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:30.001{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA46DC00695D73C0F962D96BE04B336,SHA256=D27E90B6E28B8ED00815E9DF5F1A5AC02ACC50899D901EA8B3CA8D3452CFF726,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:29.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:31.313{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7854F0B3199B820A496D49797AC786CD,SHA256=BEAD761F0905B1F3F2DCCC656512EEE56CAF771DAB48895A3B50D97E13B03BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:29.440{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65133-false10.0.1.12-8000- 23542300x8000000000000000652179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:31.008{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017EFA4C290018841FDE4F63F914C019,SHA256=F7706D07FF656478238AC48E314D99B08C815050057C8E2E7FEAF1C79AE15981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:31.266{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FD4D4744E4AA2F3F4050A1E10CC1711,SHA256=DAA4869B9FDDA6BCB5298877FFA38AA2C7D39408CD4B133F540412E8E8CD9803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:32.018{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A433B8184EE83F10B1D7B7A4F49862E0,SHA256=5BE20C2F88A014C947970D87A714E2756B7DBD91AB220BA16AFFD7C4308EBBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:32.360{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3C7B3B3D4A231101F57D1E3A289735,SHA256=8B6E70BB31C4DE0517588E1CA4CE0ED4339D3F578228A539E7F60E39D728A663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:33.360{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B935671FEC36D4E1B7AD8405F0D40FF,SHA256=312589C96564527098CE2CB1B3AFA117AA6AAB61454621FC00FC46626448DEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.883{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D906C05037E4B76545929885ABE9EFA7,SHA256=BE1B4CDF800E300B0FB24DAC4FCEDCC11D70D721397DBBD0357A881E8BB09226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.036{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13101DB2B20D3504DD0C251DAEFA09D,SHA256=615829F2833DAD9CD8A98965124E797E0E516AACCB3DEAE8AE61EBB9CB07746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:34.391{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC30891B02BCD3D1B745180A51274EF,SHA256=C7F6FC0B70114B783B5B1309C5FBE4FDFB3760C69A5879A8CDA7BC4DFA095D2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.113{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65134-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000652185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.113{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65134-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 23542300x8000000000000000652184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:34.047{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705A41C93774F62A31F86E4FC906F17F,SHA256=9C28D89520D07C6DDAB33A92AD67FEA4E090E4EF62884F8CF5F38C8FDB8D1B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:35.438{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB719FFC972FF187380FD4EBDB8B43C4,SHA256=374FE03253BD6F45A1F95275F851880121E657083E8FCCD61DD38D702BF33CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:35.053{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676A948F12613C07ABFB9DF5A7025DCB,SHA256=CA2888B53F6B5BE86ACD16CCF01C1528C55B60874CA5B6C5A2296CA730BC8038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.797{E1BD9FC2-6944-609D-554E-00000000BB01}8082848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.673{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.438{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991A81A8E11B792A057F578F73F3D1F0,SHA256=8A3A5E4CCD6F4438C1A8AF007701D839A19F6E5E403F0D89C172358E02CAD361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:35.275{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65135-false10.0.1.12-8000- 23542300x8000000000000000652189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:36.070{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3301732F5175F3AFD97328B53985E3,SHA256=9E6E762189E7A5404CD42907460213ACEB0A4CB44C582E27605B6449C7D9D1EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.157{E1BD9FC2-6944-609D-544E-00000000BB01}36763976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.001{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:36.046{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=318BFBB491E27A19C2A81E1E929E2044,SHA256=51E6FD89A0ABB4C12312D12448B9746D2B3303965288292784A356D528918C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.641{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F50ACC65552D8FAA31051101AF482D7,SHA256=335C28BE0187197DD95D46B9AE9F694BF78B6E839C974AE482E4F121D716746F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.469{E1BD9FC2-6945-609D-564E-00000000BB01}8723940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:37.077{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F627D6F08964F668CDF812F98D71251A,SHA256=31F46D4A449CFC8EC245FE8B87CE3B9BF8EBECEB1A6016AFF6B7176E09B50568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.345{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.001{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD10A34076AA16EA225E564787B132B,SHA256=2D182A226075A578DC6418B540C2F96670A822AA372121F08AF237CF5391DE72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.001{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1012499149A6594331A7F4CB00A2231C,SHA256=EAFD6B789F7EB149167C3D08896A3FC735C69BF38E0FA6335A1BBB2509F5C737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:35.799{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.485{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7B43A55CA0784159DCC70DC9936286,SHA256=E5E749DB5318FEA0D58A4BCA64334A71A2DEBD79F7B85F957721819438F12FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:38.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35D052533755AA985DC6DC45A3EEF16D,SHA256=5E07CFEA72E177052BC771B4641D2DBBA5B42EDA4A8B11F982E1CD72689CD9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:38.100{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655348D38BF8E7DC077866F40AA9BD0D,SHA256=7F9C1FE7F445FBC0F758751408C2973DC7901BAB2C45C15F112A3BBDB49823ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.391{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD10A34076AA16EA225E564787B132B,SHA256=2D182A226075A578DC6418B540C2F96670A822AA372121F08AF237CF5391DE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.017{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:39.516{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3677359E6C83A9FF4F6E87295E8A76A,SHA256=EA57F7D09D09E74DA2FD13E31275B518FFB61F8035A9D7A23FB3CCB60BFA0DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:39.113{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28739BA314E47637387DA15DBBF13238,SHA256=D7647DC54BF48DDC19DFB9DBDFC12A83B0CF80EA48F37DE5F885D6EAB74D29CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:40.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9C6593F9AD49F1C49C093646CD94D8,SHA256=6357E3A94A4432B910704462B4F1657601670402537513D703C7197EA2E55AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:40.124{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE342A5E6A806B931314C39E357C3B08,SHA256=F900221FDEF5C4FFB5EFF7AEC24ACF5F4692D72D714D5332D64B075F0A705871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:41.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A51FA46A727DA58178130581CE4C92,SHA256=A788EB05432F55B8CC6493F3311FBF07573A7784948B725E95AB9E22484B9E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:40.473{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65136-false10.0.1.12-8000- 23542300x8000000000000000652197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:41.324{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8326F91660AF723F03F72E31CF5912B,SHA256=F22FB6C4898F411347998D331F00A4051C82A4429E23F5047FC5B843C84CFE58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:41.134{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD5224590E84CF0EE67EC1A6D5EFE3D,SHA256=8A07FF48A91B65019E72C6D3D9D1388FD2ED1689143C504F628EE152F96A2426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:42.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706F02DDB012E54DE034E2CAB749B603,SHA256=0B9804FF28CBF82E38A55793BB8E80A5C218A31C7485DBB9738B266028C81077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:42.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2776C7C4EBD65B2849BD14F7890F30C1,SHA256=656D5FB95A4C05AF56E82A5AE923477BC6A3AF6C2710B996A3A8DF7B220AA2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:43.545{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4EF0BD3A0198F266E7D48F951018FB,SHA256=B74E4E86841EC0796B2857423F5EC65408AC234C3C5C8065B4AA55C42690B11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:43.823{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E81FAF64B7CD5EFF4570DB3A41F81470,SHA256=421CFAB436AB0575D3858E9EC33F96A027E7E07ACC7AF2C7D00615B5C5F0D31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:43.155{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2075F9739AC38617BB7CA0EFDE6B9CF,SHA256=CC394BB575F085E29278A8A27B340F9467214C4641F5B23E4B4D8C0EF89ED58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:43.123{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55797CF18701F58E2FC805F187756B5F,SHA256=B6AEC9EA8FA7DFACFF5D14118D96FFE7CCFD944040DECE9CEBEDC5321B26E620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:44.561{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F549AB474DA9AA168ACB43891E3F6D8,SHA256=B8253A695175B9BD69A55CFB35DE1FB1059B77603642209A50054390DE5E1675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:44.507{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa23d505.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:44.163{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89387B076B54CFC265629EE2828D2F89,SHA256=C4696895250A95A772966B88084281FAF0F53B53DB2D92250906DAE26A46D235,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:41.706{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:45.561{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD111AFC4696464590052BF5C0922CF,SHA256=9587789B0FB9F551DA92E80F3D00B86BEAFC2CCE5A2A1B21D003D60E49C0C0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:45.173{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0317B30DBB5AD358DB7D212B43AF803D,SHA256=C855767C3BA90B1CC1075A2AEFA76F448809AD4F8556F782462B48C9101CF1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:46.623{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E534C1F00B668FCF3990D5E848C4920,SHA256=D59F7E85BAD237DE8123C4A5A5F850C69F36D72740961D4C3144860E0598B647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.938{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.934{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.460{7B03F3B2-694E-609D-4153-00000000BA01}72447792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.266{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.263{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.263{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.187{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CE830B3C3CBF14D12640E071F28A16,SHA256=8F03380C6BE043F5A81C38188AE7D92DC373532F7396C584C875478053297819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:47.639{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420694F379E6055F88AACCD13CA0C76F,SHA256=E602B810E29217DD6AD79743E00C4BB0EB642F1559DA239E83D2D67FD2E18F22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.396{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65137-false10.0.1.12-8000- 10341000x8000000000000000652232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.531{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.202{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E2A03EAF86C82088DFD34A430BDA43,SHA256=740183B907FE9C30C4E85C97FBB3C6A11A0179630DA2FB416D405C314B1ABC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.173{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE3ACBF20EE7CC8D446C2F61E993702E,SHA256=82C48A12BB4A05B9A034CAEE3749C6E2EE2D7FF771D9EE3BE3A9687765B68C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:48.654{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE9E02389E25EA14D5AF8675DC99FE2,SHA256=B146B82C588B0458AFB2571643E88C673BE61A6CB711935E68DBB64466C3DDC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.600{7B03F3B2-6950-609D-4453-00000000BA01}9962060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.536{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A55C098AEF7AAB39E6E5D2BB49A57940,SHA256=5739AED666EE87883131DBF5553F0A6AAD434F11A36BA292F741DA112B9CDB77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.451{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.450{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DCBF7F4A4D96970FA4487B5760C56F,SHA256=81602E41AAE4B186CFF8023B0CBE73F9C48E6FD6837C14EB89156DC588BED155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:48.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9551F58B7005BFC94FA0CD3CDF43A0B,SHA256=C236BB861C1E19A4F0B23A25633700DCE2BCA083474C70271BD6AEB2C972AEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:48.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF19ADBF93F81D8659FDDAE36887969,SHA256=9681F84D9008FE195480EDEE0F73BF5624F76DE2C1A1217984953FAF322B60BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:49.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518E1F4B5CE0999764073A1892D151E3,SHA256=2B7D87A741AAC7F04782A1EABB680BCAF431378FA6D85EB747A1178E777C1C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.608{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A108ED7601D0B1A7FAFF4DE3E522787,SHA256=F8ECAFC507F5E4B83683D197033404DCD3A43B4299769DABE2F1180E3875FA0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.292{7B03F3B2-6951-609D-4553-00000000BA01}41245324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.239{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237745DE652D8944D1CAF3370D6A1DE7,SHA256=6E7E297E6A135F7C98597B69190146313B61B5A25242840EB74FA5E7AB5DBBDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:46.719{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000652252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.127{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.125{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.125{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:50.732{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E583641CC6E93A29CB90BAB6C531BC37,SHA256=7BBD0861C57A0E5764F8A159F3605C3EFF9E1067AA8DA98EEEE25F48DBCF536E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:50.262{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E91FD4AB898F345A086BEF74E14CB20,SHA256=BF6E548777181AF77E70DF2EFD5DD4A74101740EAD82C32A33AFB7EC83BB7C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:51.732{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9596B8F45BC976FDD3F59D20F91DA401,SHA256=F00460BDE81008D35847A80BC6AABADB7FB221EF7ED2A43468D07C86EB40598D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.986{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.983{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.983{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.382{7B03F3B2-6953-609D-4653-00000000BA01}33646308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.284{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79E492FCDC9ABE3C73F059865B713F5,SHA256=290D0E849DA4E5566AD9E5D4C000885A4A71265662A88CB6B0275B44FB4359AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.210{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000553916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000553915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a1c599d) 13241300x8000000000000000553914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x87c581c2) 13241300x8000000000000000553913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xe989e9c2) 13241300x8000000000000000553912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4b4e51c2) 13241300x8000000000000000553911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000553910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a1c599d) 13241300x8000000000000000553909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x87c581c2) 13241300x8000000000000000553908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xe989e9c2) 13241300x8000000000000000553907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4b4e51c2) 23542300x8000000000000000553906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:52.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8171D710546A9C006668A5CA3353101E,SHA256=38BD7658200349B5438F05CBB17912B968005160A7991D1515AF025EEC6E6693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.905{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F947B3BA47EF6163E736B5CC8FB6E5BB,SHA256=BF6152EB674ABEFE348099171D55A2F1B69A17C3898793739A50AA8874811E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.294{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A13895EA184DFBAC20862E3B221EE3,SHA256=0280A003ADD4BB663023FCC5AA9FA52895FC4ED23DD32B61CF121AE20D15D2C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.224{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44FC4FDA09CEE8B8517894D2D50904EA,SHA256=64B08E594102F7ADE263AA78724E130B0B6FF9AA5E51C47D2560F33080A967AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:53.764{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC433579C9A06CB0F541CB765C1CE00,SHA256=9C111B5F9284C822F1B525C7D20E18CDAC2F0A2E06B7BFD1B8AE88ED0A30C3E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.338{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65138-false10.0.1.12-8000- 23542300x8000000000000000652278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:53.427{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DBBC70561264617598D95AA3F57F66,SHA256=CA04F99E03B5E71AD976D1A272379B58A7D030F745EB734CDF8E30A734E004F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:51.781{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:53.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844575E415A19EA968D634142019E3E5,SHA256=6E5DA4EAB7D0313CB75E7EF2270FC629C8FB2A59B2E02E11C94FC3FCC62B9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:53.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9551F58B7005BFC94FA0CD3CDF43A0B,SHA256=C236BB861C1E19A4F0B23A25633700DCE2BCA083474C70271BD6AEB2C972AEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.811{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074ACAA16695CD933DA3D32A4C7BED2F,SHA256=D59C2B0492A79DCBC203226A162D1F3323274C59A8051D712E0A6A027CC95E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:54.438{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1089FCC275BE384D5D9E6926D6A498,SHA256=CA54C9837AD6753D4B2CC2ACDFE3B2B2528B21805D1DD2D3C469AFE9A9C32F72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.404{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.404{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.404{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:55.827{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8178F7851F310200C5C0B45CD384C6,SHA256=1A5A12398B5F026AB5B233E3A7B33C1A4A6527CC04976D8B321F751A5CD76BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:55.449{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBC05D11D09D822F0A4FD5BD441A179,SHA256=23D2A998BEFE744E8AD437F4E9B8F5303C72D2FA0CB372992D9213B8C14A7505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:56.841{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00675247DAC0AB2614B322ABAD92E1DE,SHA256=106D9C938533822D6C38C189EF2A721ECBC9B6ADE1FD85F1E46A0514EBDE695A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:56.454{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB60F00589C9C59F5E0A4B1A9112146A,SHA256=59E354A133FF5B329F06D85E04B3B29DF342D3C604154F683B724527A944DAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:57.842{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66790D4AFB2EF305E775924395407B40,SHA256=F058EB17507864C2338401EBA1487E637576C254FA4B319315284A5238803008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:57.466{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC1981216ED3B77FFFE6780945E1168,SHA256=8A094AB6FAACECF793127A72FB08405032A3D142D7C8D91A129FB3CA85399A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:58.842{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81D8FDF6898DB88512D84338CF59D8C,SHA256=4CDA46CA89A08E013834D7E5C8EFC8FCBC173E10E41B27605C66361B587E5182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579DF06CEA9755FBF9C04CFB49AAAF48,SHA256=014431B6156A365FA9D4994A469BD57727370BFD109AEA67BAECF242C6C13431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:56.811{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:58.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E319C417848A62746A86F4F47DD57E82,SHA256=E0AD40E9ECA53EA4FBCBEF1372793AB5A35C70E1ED1C052C10FD9739D85330F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:58.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844575E415A19EA968D634142019E3E5,SHA256=6E5DA4EAB7D0313CB75E7EF2270FC629C8FB2A59B2E02E11C94FC3FCC62B9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.312{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\aborted-session-pingMD5=5216D922996B57BE5B16DD2B588587B8,SHA256=A3A41E3766B277C93DB37120EB6F4E14C19E40C150EE569CFA852644FC75CDC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.282{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000652287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.282{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.282{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa240ada.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.214{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08102E4FF895225D26AE1B4C90ED902A,SHA256=9DA68B5E8C17693013219E8C2E7F13A7BBFB8925E85049F3E107E47A52DE22D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0D0E512FDE671F5D172E5868867B3D1,SHA256=C1ECD7F51DD4E05FC70C0CB89FB782F9AFD722E30AC0EB302036AE234FCAA106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:59.857{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61808D3BE16B11888BD62C91B60214B3,SHA256=3A8140610DF9F61D66EF6818F8C38DC4B9B1B2DC4370E71C5AF0FF963BA04D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:59.497{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5EE762623B6E06EF04A75CF3D61C6B,SHA256=66E9607E39FA13CA328045DE1874CED3057309519FD1EB86BC7032C667EF4E33,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000652301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000652300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a240ea3) 13241300x8000000000000000652299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x8bc0e5dd) 13241300x8000000000000000652298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xed854ddd) 13241300x8000000000000000652297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4f49b5dd) 13241300x8000000000000000652296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000652295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a240ea3) 13241300x8000000000000000652294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x8bc0e5dd) 13241300x8000000000000000652293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xed854ddd) 13241300x8000000000000000652292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4f49b5dd) 354300x8000000000000000652291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:57.440{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65139-false10.0.1.12-8000- 23542300x8000000000000000553933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:00.857{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C5DD702A16F61B3F686E2E77E62CEE,SHA256=F93CD5689B1BFF34B113467CB23BE610573766DBFF411BB58042A0F529B59DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:00.519{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160E016E3E682896B9F401D325B685D6,SHA256=1231FE80D1DFCCC40AD15A693985F1F2A01AA18AFE19B276EA7A22F27A74091A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:01.889{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29E57E484E0A194889904E864E0DB6C,SHA256=B63F894145F8BE7076BFC9FBF1D19188CBC11BBE60C0F104C728E5C50799C407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:01.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED41A0BD6F3153BD9062F46102339FAC,SHA256=20A4F9C1291480E5824728DF196D6BAADDFEF1E575BF5ED881151113424DB459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:02.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67083965635652CD0DFDEE09B007A6F9,SHA256=EFA7BFBA1BCCDABF252EB0AEC4C4C1473DA08B89D0F172310EB0CAD8CEA4004F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:02.592{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E716A8070C39F485A688CA138DF5AF3D,SHA256=644AB136A98A67C5405E3802A614BEB7355BADCD67ECD945E1A5D6F308402102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:03.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB4DC10E1DAC201F99193FC33453CC7,SHA256=78D34220A14896484EC596D6EF3688BE8FC12B64D76722F9A25DA231FF70B2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:03.602{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56529040FE4CC26FF439EE37679C70C4,SHA256=BC06846D2AEC77FE98F9EAC21AFDCD88CE69E164677950D048E5571AB9B59F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:01.844{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:03.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE851FEE5EC158DA44B980DEDE3914ED,SHA256=6378298F0AA13EA2FA5A85B239849FB002529EB73C83A3EA31E2A505BE8F47FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:03.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E319C417848A62746A86F4F47DD57E82,SHA256=E0AD40E9ECA53EA4FBCBEF1372793AB5A35C70E1ED1C052C10FD9739D85330F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:03.305{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FA7980A8AC46AD0012A1F7521EDED93,SHA256=ADCE4394F8BDEB16D7DD69E796C91A0AB3D9E1087EEC9059059471C8F91D4A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:03.295{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08102E4FF895225D26AE1B4C90ED902A,SHA256=9DA68B5E8C17693013219E8C2E7F13A7BBFB8925E85049F3E107E47A52DE22D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:04.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE03C4FA4E5497321AD0ED7F594AFB1,SHA256=9BA9AEC5FC228883F21ADD9E69EE48A8B58B1E9CA1A337BF831C404F70C89D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:04.622{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50C83AD253E9220A2033AEC813D51EE,SHA256=CBE8A8A514CCB2D72B95ABB91C4E531B5B02B2CB080524F04DBC1A9BD25B4566,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:02.480{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65140-false10.0.1.12-8000- 23542300x8000000000000000553941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:05.983{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F259AA5A245E033D52F8CD3BC5F5090,SHA256=AC85441F94575028E78330650486E34FEBD6ABF5CAADBEC9988E290342362E05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:05.692{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:05.633{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FC2787BA9F60628F7443976E50DA14,SHA256=4F45FDC920AA61CB0337FEBFD9AA9BE6F58CDC81D3141C1FD889C747F534614F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:06.638{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C24F393B7BF2984AFA219D93BA8E305,SHA256=A91D7B4CE755EAA82B238DA1A2381E60A89E13E42512C551CC74E751C54985DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.646{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73DCCF9B3A06E04E3921C74A29B30A8,SHA256=CED813EEB671CC40C01BF0009FB853C2282B8F201713BDD03815CD780476DEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:07.014{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B67AAF6EA6F37B0F63B9BE43408538F,SHA256=704DD2F8DECECDE07A46D442D0849C49D7E3BE157A171B80C08BB9D3B6084420,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.196{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:08.662{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535FF289D00C1D59079FACEAE6395AAC,SHA256=368667C1A43E41505034D70CAA8CFCBE912788529AFFC96E0122F18B57781D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:08.733{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3D654EE0870478C0FAD72E420FD14940,SHA256=D4378E8F7181B8C51390C697B84EEA23821741A0FFCA53D255A6250EAC4E44D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:08.061{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12993D4ACBDF2CEB39EB28410DDCFD3,SHA256=183FC654AB79B407805A08E2B19CE632F61F2CCF646A43450EE1FF49E43969A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:09.682{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403328366E6A38AC74B62F35FF381C2E,SHA256=84090490D1F77B856BC79A77BD3A551E295912A072E7059CBA25195F007C73DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:07.719{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:09.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0B9D28E5136439EEE85C6B4BE5A66B,SHA256=AFFEE5FD9B5EB9F85C19B4AA800D1BCD07BB8D83852B9BE600363F1AF0B203C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:09.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE851FEE5EC158DA44B980DEDE3914ED,SHA256=6378298F0AA13EA2FA5A85B239849FB002529EB73C83A3EA31E2A505BE8F47FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:09.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDC6C146993902AE108A497CECD20A1,SHA256=3F102659D12B80201D415C4B1139E1EE92C2413371C6BB909A8011A0A0D54A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:09.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2890AADF2390AD40E4AFED4D8F12BE62,SHA256=9B4C0A23D2D0C69CAB09FBD495FF248C69FED1FE91E21454F1CAFDD324F87C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:09.223{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FA7980A8AC46AD0012A1F7521EDED93,SHA256=ADCE4394F8BDEB16D7DD69E796C91A0AB3D9E1087EEC9059059471C8F91D4A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:10.686{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3845531193728F8B0F23B19111999F62,SHA256=B6A45CD831DE6A72AF0E2FDC1BD1BA2C2DF4E8826D6BA53B77B5867B0B51AC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:10.123{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F26E5584B8C4ADBE76CDD9F475D8AD,SHA256=5D30753A5AA99AA1FD848841A2E7C86591160646FD3DF740491DBFC176785AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:11.702{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3B06EA4C0DBA18CD53336201D21E84,SHA256=40E7AAEBEEE258476DE585AD5FE158F7D4E16AA064F8DBC2180D985434C7F53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:11.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3C2C58429448DE63601DF2CACC2F49,SHA256=1B6D03703905BB467F0D0A85874ED9C83EE509F563945A90FC71B07F2297F79A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:08.452{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65141-false10.0.1.12-8000- 23542300x8000000000000000652325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:12.713{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CB035B57AA040151425433E9781038,SHA256=2246DD9A851FD119DE342228D7C34EEA1EF982ABB77D96E381C85DBC3B173884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:12.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF0C271FD44E74E282F91FD6718F677,SHA256=86C51E698A1A50CDEB7AF9B4DC40264A915B40488C5F2D24CB033FDC09488BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:13.877{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2890AADF2390AD40E4AFED4D8F12BE62,SHA256=9B4C0A23D2D0C69CAB09FBD495FF248C69FED1FE91E21454F1CAFDD324F87C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:13.725{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC5634D4E3F4E7E25CB4452F15B6718,SHA256=C6A8A6C44639E4890088C3CF9230EC0D4585F7BE3052F0C12C9946B745CBE0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:13.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD40A016142A25BD56F26063719D174,SHA256=5911A9E3FF22807002F6A7557BD5FD689A87298612A30AC810E3D70A462D79CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:14.731{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC9F9EF47524D84D1243D2C1C65B64C,SHA256=C6470D930D6F72A12321ACCB7692564DF541839FFD06F08375E5AFA1D0FB4F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:12.750{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:14.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA51D210B883CC08C9862AACEACEE5F,SHA256=C650007BB1270668CF73B3F4E1991F9B50BEB631B17091D9842BC916DF0888FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:13.100{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local57053- 23542300x8000000000000000553954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:14.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C30CE5E046B788A63DCE3787BF7DC36A,SHA256=37C1DBCC24953A0C14A8F6F19BA1DD9AED2A7086A6818F16BA16F9C91A2645E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:14.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0B9D28E5136439EEE85C6B4BE5A66B,SHA256=AFFEE5FD9B5EB9F85C19B4AA800D1BCD07BB8D83852B9BE600363F1AF0B203C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:15.778{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0A1861C263E786AEA3A8A3416B6608,SHA256=D44AB03670CFE691E5561B8239946D99D09C862EDD2271FA2AE071ED70E80FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:15.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DC92ACC80D1C4DD394768E5D7F86A9,SHA256=FE167B1254E02956C6B467451D11A98180DBCFA4F1AE776A6A481036A00D2B54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:14.337{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65142-false10.0.1.12-8000- 23542300x8000000000000000652330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:15.127{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61F2361457659ADD870E650DBB637A35,SHA256=8389523A2F2EAC3E3F760B02E7BF61BAB882ED11D4D0BFA521DEF472382657A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:16.789{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72213F153CD2F492313D3C168BB9FB1A,SHA256=52ED553D81039F01645CE35F208402DE4819BA7DA3A9CFD0AB23433208979F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:16.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B15468B2423FF7E9095EFE87B5361C9,SHA256=E829F18D33D0D7D478C441775BA985B2930EA924F6A2C5AA19ED08E7EA20FAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:17.797{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACFA84E38B4899CD42538766EB9CA44,SHA256=B0FCD3864F5B948C949F9E44C2034570E3280CBFE305331B0883C0F706AAA54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:17.280{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA24E685B45CB14252722D89C698B1,SHA256=C7336F13CB4D1D70C181C779E5AA80BD0DD77FF4D76787ED72966741D5A63EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:18.847{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7003C3872D0352157C692EA9C4149CC,SHA256=9F2E41CF3D817134EA3E6065D94BB37C7001E6DB4275B3E7F8376BE9641FDF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:18.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2423BCA0193A949096E92A5874D412E2,SHA256=7C7241DA7C014C2B03E8B2D9169DC5237EEC2D3F9F9ADFFEC0170524A6F7B96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:18.311{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF0F97643E00E94762236292E67CCF1,SHA256=D75F8ACEBE75E04B79837B631642869CF4C9B2E81F8AA68FE3B8EF38163BBC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:19.813{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61B6A2594ACFEDDD3D7976F97AB7644,SHA256=185E110F07BD7C45ABE98F8AE146DD4209F233E33F8C007EE8F6F81F458BC589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:19.327{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EE3CD41133105B3A2911DCBE5CA46A,SHA256=2F23CD6980F22614BBBE777C12B4950B5D072F650299F1AEA34C87C2E7389887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:19.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C30CE5E046B788A63DCE3787BF7DC36A,SHA256=37C1DBCC24953A0C14A8F6F19BA1DD9AED2A7086A6818F16BA16F9C91A2645E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.852{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6722BF9882B7C829B1B3D7747690DA3,SHA256=2EE939D6EF7A40BF1D60E6EB8C78A03CAC76826DAD7A22F8DA2B508A6734DB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:20.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A339FCE1BA252D454F7A69EF983CEFB8,SHA256=B214E4DE74679CF60FF589B94BD542F0042AEEC00C173A14A624BA2E3F86059B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:19.370{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65143-false10.0.1.12-8000- 10341000x8000000000000000652371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.278{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.278{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.278{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.276{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.276{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.276{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.139{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00722ADDE5F64656A16D712A18FB17F2,SHA256=83D875BF194C0B2C100504271388C8DEEF76875167D16F96DCD5F83F28B64962,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:17.813{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51607-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000652374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:21.862{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DC71DE71FA55C3DAC498BC98B50FD0,SHA256=598409B9E6FCC558E3E10BEDC4BD3FD7469ECD2DD5B4BEA873E6CB10106B5AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:21.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E906FE9AE98CBD0F63DC03C15F7522,SHA256=992399AE7B314FA88343E50AA9C44F48C19A9DBC434995A1B3AF4B516D70F898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:22.935{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:22.871{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86336C83AB37560FFA0EA36C0AD8F75B,SHA256=7967E9B71CF1CC84517831554FBB1DDBC08A56AAA2F5FC97E901354B3AED7409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:22.373{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414A04DB7ECE87870EA80580D5760CF,SHA256=1140F2F2B63CC817BD4BFFC21B387AC53CCCE9F5142C3B37219FCB27C69235CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.945{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF848978021A2109741ABFBEB1B8DD8,SHA256=4CC0A53196C81F277C5A8F7CA317B4388F3DE1763619430700FE0275476C8461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:23.383{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA57ED49E588623B8A3C08397D8F606D,SHA256=D055C3ED080AE37E09E183138B5009814A896B180DD68052A4F943FE62BBBF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.853{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F4B4D81BE22EC1D3A14027318B957DD,SHA256=52424D478180BCD1EF0224517500AB662D3BB481D4D6FEE6C936B54A6E25BFA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:24.951{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96FF5E7B84FB63AC729EDA6DC214632,SHA256=30DE94C62385D4A013B3133FD49C6A94FB39555065D02E60D72FCF26D0BF06FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:24.398{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79853D56EDE88CCACE5900E55BE22F8,SHA256=8C20F429B0C08990DA23404EE96D95E8797BC69917E4946B32BE7027F2806A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.172{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65144-false10.0.1.12-8089- 23542300x8000000000000000652385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:25.957{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE4ADCCB3D070254416305781992512,SHA256=73FED5A3ADE1DAC8F54FB3DCF30427D280FEAE243E223434B5ABB61AC4C6E8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:25.414{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FCAC76C93DD4BFD2CB81B71BC84491,SHA256=ABD1278CE4208DBC1B165A91DA0879B12585970E02E79B55B7815DE992D23F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:24.386{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65146-false10.0.1.12-8000- 354300x8000000000000000652383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.563{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65145-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.563{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65145-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:25.178{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEC31C425414C19359505DC17CE0525E,SHA256=94CE0188F46040DD79A9CD403AB32E47FF4647CA6B87D08E969B5BDD6325AA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:25.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C15E2D8FBEA2BA654F91F2DF19A235F,SHA256=C4C23A79A8C741618D6558CA2267F4DC0252D5A3C79BB00AAB2344CD26247D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:25.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B63817FB112F6E47BA2A53D606D5F406,SHA256=00B8B02BD816219022D845926BB9206DFD45F3E334FB86DDF01D64DAC4C3D745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:26.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9890378A051B8C8668499219CF240E6,SHA256=FE0F5A5AE2AD3F859C7D01340A2AB67342B178D0503B16FF6E0145C7C2A452A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.790{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.476{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A18F99F7F7A18F0F85A28D464E7649,SHA256=03CE56605744AA1FE6C39528A7FCBCAE02DCB0F6C1E9F93930E60113EB9F9877,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:23.806{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51608-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000652387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:27.969{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D2270C8AB16BE62195A3D5F7EB1BFC,SHA256=AF76DACA88D1D92E717656DE1B11710717272AF57C66E220656B6AA20606861C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.804{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C15E2D8FBEA2BA654F91F2DF19A235F,SHA256=C4C23A79A8C741618D6558CA2267F4DC0252D5A3C79BB00AAB2344CD26247D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.742{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A410E3C833933CCED203025A07D551,SHA256=C196A41C87161D60D40A9E5AEF774D5D2CFCACC0342FE51816BD43867F2469E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.586{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:28.985{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4CDAA362B1C3ED3F19239B4D8344F3,SHA256=EB578344301AB165423DD5FD263866839B7214C5D74C87E9958CFD304B12B287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.617{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3ED32603A72A1A0AB9EFBAC858910E1,SHA256=93D751911887E1F65B8B8B4A835D1105FC450D53C5C4C90673087D6C5F36A4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.258{E1BD9FC2-6978-609D-5A4E-00000000BB01}19762664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:29.991{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A940BF730F9FFCFBB91AD18588ACE2E6,SHA256=74198A189C142FC82D71EBEEBD374AE6DC0F79D790FC54886A02C4417C5AFB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:29.648{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1915E7E87F4C177D571DA98CAFD8EA5B,SHA256=5410265CA8C17F68E705A81E4010B691E8AD3542A7EF3A6F339732029552CCBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.213{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51609-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000554018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:29.148{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC97C69875DB3D047A72DC8618EBED7F,SHA256=BF4498ED1A3211384C2E3B56D47D89DB737A22D2BB536ADEF55967CDBE846220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:30.664{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787EF67E1FEC038B755729A796BF1697,SHA256=01C690CE7846FA0DDD2FD948D684A59361BFADAFBE4969EDC90C9E58116C66E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:29.396{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65147-false10.0.1.12-8000- 23542300x8000000000000000652391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:30.173{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C667AB9A2411A1D1AE3BA28B02CABC4,SHA256=BBC0AD7B2135BEF0B2A7319DF9C52ADC2F73FB0E7DD61686EA2E6CF60C44EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:30.172{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DED80BC0BB5B66F71C37A69586C1C920,SHA256=CF4FAA2DB6C2EF66C009B065F4B5A5AA4310B87014D105B7FCB23717AD711EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.806{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:30.195{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07B8F96F9A5A31FAC40EE84501289FF5,SHA256=85E9BA241F40AEF3AAAF695695E8C92305B191A0E1C3BEE119B2FFDE85AC1DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:31.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70972A7FCB07A1FE7F2AFA148EC448F7,SHA256=EF07A48A059510FDB4E989467B83341F7A84F4C60C38F4CA1FFACBBF4A5B7230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:31.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3EF3DD7E40125C982664E1CD62C8B3,SHA256=7295E772B4B6E17C9983C8316D634B49C93CA9F32FE8B66BA9A2ED4A59E95C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:32.711{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A7D4CDA3AE9BED20159ADEFD356D95,SHA256=0925DF811180CD5F939D041230B144A166766156F9749561017703BC95A31036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:32.942{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324648C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000652394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:32.090{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598DCEA0F14A64FC968CAB8D41719821,SHA256=81A49B55677DD16611A8DFFA99D12A4582A255FB6656025C506D119113EEDCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:33.726{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2CF49474041721D20D4FB60143A016,SHA256=0D3FD89E388F7B506C3D809AA7C560075A02210404CC3AC2D7E9792C0F2802AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.847{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C667AB9A2411A1D1AE3BA28B02CABC4,SHA256=BBC0AD7B2135BEF0B2A7319DF9C52ADC2F73FB0E7DD61686EA2E6CF60C44EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.094{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0155E0BD8666C8A4CE964CABB5BC8B33,SHA256=1E381F9ACFC2EEF2D0E493AED7A3AF66BB248B17426B9D9585381CCED084DACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:34.773{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A3606AACEE2E3264EE044C5AC2B3B4,SHA256=16FCCD332C52ADE211E4F01BEAEBD35A26435F30688DBBEE98EDFE21F93B1793,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.182{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65150-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000652403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.182{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65150-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000652402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.081{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local65149-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000652401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.081{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65149-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000652400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.074{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65148-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.074{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65148-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 23542300x8000000000000000652398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:34.132{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862A61F04896B7683AEDDC458DFF6757,SHA256=62DE9B5CE4CE483EF3C4782BA7030A5FBC70D1F82E9C32E2AF1DE2BA999B20BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.820{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20AB75CD4345A2340471DE250249708,SHA256=1A7F7D5E5C394A5EABBD957BAFCB91A142E697E33127065DE8830CC972D1E652,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:34.421{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65151-false10.0.1.12-8000- 23542300x8000000000000000652406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:35.190{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=460092D16FE25C42A28611BC08784E74,SHA256=4EACDA50EF5FB6FDBDC4DFE83E44B9D5E98080434F4BAA5AD7E27E1463CF3060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:35.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420307CD3BC96A01FFBDF2F029D84F50,SHA256=3699DD4F72949600F496F8A8F4950956E3370C33D7EB47A76DEEFB8D23A6FB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.836{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4651656A56E362718940CD4D47B6A9E2,SHA256=3A5DC72EBA1466346D8AD7185C121543DAC7695C8ED588220634ECB054C6BF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:36.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F09592ECBD1CC3390E82E3B2466930,SHA256=837DEBA492B6AFCD44151C7E0F5AE5D5AECD85C1733CFCDCE31968EA803D1E71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.789{E1BD9FC2-6980-609D-5C4E-00000000BB01}28601876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:34.744{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBDD5F4983ADE0E008D5B3262D6A023E,SHA256=E137ACE20AB976E4440BB3DFAF2709FE0BDD1EB8A6C339581AD0B388CCB8EAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2DF58F39A2B95D4E8CB04DAC363928,SHA256=6CE06CE4C21CE196A3C7F3A5EA245C6F3144F3A873CD01DFAA97B529F0722C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.117{E1BD9FC2-697F-609D-5B4E-00000000BB01}30082648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.993{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000554088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.962{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.836{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA1F1EA334551823267F2B65FB09712,SHA256=8EEF44100D1013C223AE50B71666754CCF3A506E6FE8394F4DBECE55FEDB6A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:37.158{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E2D8D7424B85EA26E1D1565B3E9720,SHA256=854B6BB7BC60992E76DD55D7C31F161A39230763F88E6BA57685868BF4085C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.664{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBDD5F4983ADE0E008D5B3262D6A023E,SHA256=E137ACE20AB976E4440BB3DFAF2709FE0BDD1EB8A6C339581AD0B388CCB8EAB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:38.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716F2F1A6CC63D29EDB69C599B5E18DF,SHA256=DE7D76DC159D6576A275644EAE1DA22C8D768B0DD1F43CBFC94158702CE31E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:38.886{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1610BE7271724510A20EFAA7662ADF0B,SHA256=7F3D921601A01631A952FE84B7B1F5AEF41E0C2BBB8169055CC1A52D060FF419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:38.170{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DA6B0D987A463E70E558AD796FDFA3,SHA256=34908F70BCF6F41AC86B9E7741B65C6E15EA0916144D3C1321E9DA6F97A329B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:38.101{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:39.883{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654062963692073FD7FED5AB4412BAB4,SHA256=B2EC5C2A30053AF76B61F398DE329F8471414C4E62FA22B0DC56065E04B7D463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:39.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485A5EDE2AF2976C251CC8163A6BDB8D,SHA256=30079C4AE407FEAE1ED7736370ABAA8FAF5367A25E94D5BA770B9FCAE6E7AA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:39.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F75F6048663AE15236BAF2C7267CAA75,SHA256=94816FF970FC270F63076DA4C68230AD2002E112615A7FF3E142D119BA1CB2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:40.898{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57868F0B30DC26E4036AD82C82E4EAA,SHA256=75C2B9E556439B4DA361B869B4D53BD2868632BB17E7CBD7222D8E7AE6E831A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:40.212{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AB9CEF078226C8B0E590C05D21E255,SHA256=F6CF022BDD988EFC50E7E06E7FCC5BD2B7905A227B5520E3C6C7A608E190B9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:41.945{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27116D9C2BE69FB767C47C7BCD45E8E,SHA256=94723CA7A613C8F8FC3A234BB0A85E3EB0D7DACBA3824D038F8E4538FB96BD22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:40.343{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65152-false10.0.1.12-8000- 23542300x8000000000000000652415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:41.220{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F79C67D6264A434E48DFBD39F45946,SHA256=1771A81FB952B9D0A95189658E4CF02C973B6B53DF51336C3DC0061FDBE0BE2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:39.822{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:41.195{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CD67E70796A930C0540F301CF306E2,SHA256=2867710BF1D8F8A0431731F59061E99D61F9B2FAAB793660580D9112A54DBF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:41.106{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E9A8DF5D8787277CDF0EA0C7FB9A088,SHA256=71A5F0C04DCD9A5C2898BA80178960ED2C22C43176C47C6B21531BBA84929EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:42.960{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D01D5C1F5001E55918FC0527B8D783D,SHA256=E20ACC23D8878E7395551D8B4986A6DB8D2D1F8428D259ED4D4F3E789C5D3E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:42.235{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7806892BD64C0265D496FFC5465CB190,SHA256=E91EE96898DFCFA7F66380DE0B32BE5521914C74DEDD87E6204414C85B51DD85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:43.864{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E5C02AB4E2B297862782D4C5EA4DFA2,SHA256=D3A3CD784598BFA3968E4DECEE31B771E0E3276CC8151E6F95C8B89527148C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:43.243{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB3FE21AA459B740B9DF572E761BBDD,SHA256=F3D47A2E4423A4CD26B2EC45F3C90B81CBD8DD927C9F178FE001CED2A50AEDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:44.039{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1C2C2262EB89A02A1E798AC858F38A,SHA256=74EA242879E695B3D8CB48E2097AB1BCBC52B011291502337E674DB9A4D77630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:44.260{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B582E79C5632FC4EB3AD5ED64EF82AFE,SHA256=85ABD274211145772CDD0EB713262EF02E62F32B767A14BEB29FF0E1F6EC477E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:45.274{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C001FA22AB07E300A084DEF1246A1C8A,SHA256=066F22BC5EEA9FB2D03B74DAB6C9116BCB965AF2B0B7D46097D1C251018E8982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:45.054{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C2D1848CBE40B2331C37C02BBBAB9F,SHA256=0FB60B17035267198D54B1B6063FC6C26F55031EA70F2903F67EB2492BBB9D81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.935{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:45.376{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65153-false10.0.1.12-8000- 23542300x8000000000000000652431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADEE2FB85482685916E7D5E310B7635,SHA256=7AB83D0B4F5BEA875CEBFD98E24B603828EA485E4070A0A1E93755ACBD17DE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:46.054{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923C57AC80BCF771725B3754EC09D2EC,SHA256=A3310E2886003E710CA3157F53728820E36DE12160CF4F2F1DF4E0394AE373EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.275{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.273{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.273{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.273{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.160{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=620E1A9CC80C94F2249EC4B12E8E21B8,SHA256=BC0F49BADA7F8391A8934887DA5CE512A51E7E62E0C8FF4690123933CF8BBEB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.748{7B03F3B2-698B-609D-4A53-00000000BA01}73526904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.577{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.575{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.575{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.575{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.308{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329A82B972EEA5D0D9B1E77849CC4B5F,SHA256=F136BF49B999376DDA5147FCAFC48A15F96A600313A188C7EB28AE02C00DB7E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:45.697{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:47.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4358ADE7B5A9A438C0749F875E1705C7,SHA256=C92FC12103E5FC090FD5B2EB6552E242DBB3E436D6BE548D328370089316D595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:47.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8829370F18FF143C1052910D3E5C993A,SHA256=D579799575044912EA574CF490B3C091FF97C4AE91CBDE39035E48859A91F114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:47.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79952A3FF5DDE8338659F590DF4C1982,SHA256=233D08ADE039CF785802308DC8F03E59393805002DF9DEB5F46230287C5578AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0124523D8555A5B4FB9FB51DE9692004,SHA256=B52240938AE069CAE1EF089DE2D82686F840747C4DA114ED2D8E1810144F158E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.595{7B03F3B2-698C-609D-4B53-00000000BA01}81285980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.583{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26D003B132492E615E5C7FF4084CF831,SHA256=8DA3EA2E47D097DF289C101C0D140E933DA8075320E00D7D16A70CE87FD46B8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.450{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.446{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.446{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.446{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.324{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71E74556965C94B6A9AA25008F26B9B,SHA256=D9AD5C24F43182C867AD1136E81FA20C459EE000DD325B4DDEDDAD1B976650BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:48.132{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BD722B6BB64C9BE1D6A25E57790278,SHA256=451E83ADB689140C63CD6C1A4CB76668823BAF8F8DA30123353E13F8B8CA36DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:49.179{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C69C3CE00D1B4BDFA757ECEDFA37FC,SHA256=C8464F95F7EAE1CCF7E59C7E70EABEFC8759253E0739F7A4347D41DB00593B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64CC55A27F3A579EC21BBF193AFAF544,SHA256=AF6118231ACCC4971BFFE7612B552DAC41F3A777D05DBC6CEB218AFBC71F1C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.332{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFC07CCB01F899567D8F1023757E16E,SHA256=DAA75159C37E0E3606DA364A4DAF3C26D8466BA536DE2A63E7C89A663739C254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.257{7B03F3B2-698D-609D-4C53-00000000BA01}68481916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.110{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.109{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:50.344{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF080D249596FFD7CF67B05C5E0448B,SHA256=52C0909414B62EAB4667FECD2C0F8621772CDEEF15719676A86DB3ABB95C48E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:50.210{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4197F321041467AFE94FB28CC055E80A,SHA256=F621C535F20AA764F4DBA075993A573F2713DBF784FCA873311BCAC7937AF356,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:50.497{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65154-false10.0.1.12-8000- 10341000x8000000000000000652485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.456{7B03F3B2-698F-609D-4D53-00000000BA01}67124812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.372{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074070B20D2DFA4572DA58F6D485F43F,SHA256=D7FA086315398F1BE9783B72D730BAB5956F0F7C8DA3CA7B7EF23D068FBC0306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:51.211{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AC80AD403D9BC3224E920032F32041,SHA256=66C1517DABCAEC068D3D32CA254D5ED6944736940AB84CA0601B7D4BEA60745C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.269{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04B77D0D5A13E97EAAD3B4642029376D,SHA256=58C365AFEB98A192D9F88434FD0053378FF7207BDEC0A7671E21D70807F86A5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.227{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.222{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.222{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.222{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.908{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3FEF1D4DB4646222CDA65CC9CFFD9A97,SHA256=3385041E70F75AC3514C9331C6B01DD1B90437B4676AA722AD64599D9FFC558E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.476{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B2BE001062255EEDF4285A6F0829AB,SHA256=5736BBE33BAB6C052EBDA08B614F6780C59D13B900C10305276A19E4CB3766C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.395{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94A25C66B10E20608DA6DE0CD17506B,SHA256=9EECE997FE06E1785E491130468CA5F3C90F659B10EF1AE7453130531F9ED6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:52.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683FFE028F6478D06AD9EF83B1C97DB8,SHA256=A427C35A538436E3F07861AA7CD7795EFFC2A598ABD9F2E4244ECD9444AFFD23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.011{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.008{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.008{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.008{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:53.400{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E861559C5FA7ACC6A77A07BA929911,SHA256=C2AD537408FB3E0C1227E3F4CA24492BEF3655C21028ABA2CA4E173F2F20571B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:51.728{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51614-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:53.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C869D6E9001367D63CFCA61DFFA7EE,SHA256=F97CAC06B58EC223CEE21F66099A2C40DA1172CBDCDDEF727CD976A5D202808D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:53.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D483BAFA4F3E1B1BCFA4A93C8C486217,SHA256=CCA883A411BF54E03E33134E4FF2EE38D6637B894BE24FCE4B9EE6B687691C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:53.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4358ADE7B5A9A438C0749F875E1705C7,SHA256=C92FC12103E5FC090FD5B2EB6552E242DBB3E436D6BE548D328370089316D595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:54.406{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD90E4B639C14EA6B6A15FAD10DF950,SHA256=DB4A1A4B872B1D584C6CC9AAE8159ECC1258AFEB0F91559F9FB8512A671FE758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:54.242{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFA1B0CB589E5192F71FC1DEDC408D4,SHA256=E7F82390A86D1093D91C4154B29A9C25C48284C2F127C765EBF42A1416217C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:55.443{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3748A3AE6DD9570CE3829F46B50E6E,SHA256=B43FEF842FA5C5D28C2ED9904437455C0F7659FF3B6F30EC96C799BE6AB5C1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:55.257{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B072959784F934416989EAF178B0D9B,SHA256=3AB97004D730B2C2CDABDA48D45E814A84DAFD50A433CF2B0427DAD84D8C1E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:56.457{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F45EF3258580FF364F9BCF9C33F461,SHA256=D6CF7924C054D2F35196949CACA2E743052CF40FF13F120B3025AAF0E1AA6075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:56.273{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E624B85817172301EAAC3EC62A5598,SHA256=BDAD76236BB665B522E88C2FE4A31C26420EE35335B23A648930BCB39E19546F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:56.325{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65155-false10.0.1.12-8000- 23542300x8000000000000000652503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:57.490{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4D676DCF2BEBFEC55698309DF9ACBB,SHA256=0DACE0D0EA6048824332B671298F8A7416776A1D8F95DA023A6910B19292D37A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:01:57.830{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74822-0x10c7668b) 23542300x8000000000000000554117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:57.290{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B092A7353A52D034A2E486D533D6D52,SHA256=1A0470531E0E841464575477A39EBFD919D8966E0977A5AE2C5832E075D588FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:57.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=810394CA6AF0FD6BFEB9C55B8963C1E2,SHA256=4E3A91985E70DFA3A95BCC23A03BAD7814AB28C5F2ECD7FE204CFC9E4E97FE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:58.875{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0925D2D1D984F465F8FBB43171591240,SHA256=CEBEA011F3721B3C7C6A3FDE5CD8F26D8DCDBA8EE227BBEE4DFC5ABF423A451D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:58.502{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BBA4B04904029844A56959B441583D,SHA256=E01711C74E328C92DBCE4C1FC07ED66EDB30B1852D081E6CFDAF8534B9EF1105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:58.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB711C624682A3E648605EDBD242503,SHA256=F4A308433C9B1F65CB2033E7161BB8694B703BBEE05A9ADD60FBA4F6DC1DEA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:58.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C152FC4683E96C95E01991917EBD81F,SHA256=0A60645163292B6D15DDC3809D64CE4294B7EB2F111DEDE0A694FF98CE77C0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:58.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D483BAFA4F3E1B1BCFA4A93C8C486217,SHA256=CCA883A411BF54E03E33134E4FF2EE38D6637B894BE24FCE4B9EE6B687691C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:59.517{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAA4C500D5B1B230DBFE1221AE0C6F2,SHA256=A6785B93B32D1D887F973F20B41FD76623D932ADB6B491511CE297DB95A635EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:59.349{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACD4CA70AC1B4551648D229853A3196,SHA256=1BD5E0511B591203FF12AFB45458D342B646DAF510831525837949A2A8FD775A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:56.729{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000652508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:00.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE242991C61B604493C7620A211D9004,SHA256=EBC18F47FE1444C519F32B02A4E42444672C9FE329CC13FA8D75254CD1359C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:00.364{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C76B7B8758243590E880D6AA937A809,SHA256=B28AE0459BCDE9BC61405A26ECFB913157CA48AB6B4E2E765FA3901EDCC4B32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:01.411{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D33BAC63B93C2E3568F4E1232A8C16C,SHA256=AA2FDF8E1ED9996286FC06FF94F8A0B5AC4D02D7D400782AE5EC5C484C872875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:01.538{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E0491749D8198DA236464C07BF17B5,SHA256=E858E008521B912A4D5E2699506BF86A06FA19DA814C4ADA0F4CACFD91C8B0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:02.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66EC8DB315FE56A736FD013C5BE668B,SHA256=B9B946B1F163D0B181125A72C1BFEAC2A8B0D03C64C2AAAAE4851BCE2A87301D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:01.358{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65156-false10.0.1.12-8000- 23542300x8000000000000000652511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:02.558{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFB5F00F77809D0CC676AD6B44165AA,SHA256=CF9151AF61EB937161F95131C5ACD782992E7534206F15AC8F8CE65A4F5D5937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:02.139{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19DCF946F1FFA16CCC745989CC6B7A04,SHA256=950361F6860517C115396C55EC9534B7716C25AC7BFD48741C5C14F9E00DBF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:03.870{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26EA5A5AC17239448FC31CA1B4D27F49,SHA256=A4A25B214E9FF72EE2772565D5D42787583E7A2F649D510EDB7309C0DF179E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:03.579{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE1F9F1D826FF69244F7A7EBE0BFC08,SHA256=DC7AEF7A9558001A7D761AC89180B26593E85A7E51AE94FF19977785937ADE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:03.556{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44502D743CFE5D79B5D2FC5D1AA7935B,SHA256=C0120F55BBD0032FF2C9A40259B2A6FB8A557C83B07FDB6D0061EA377F1E344D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:04.572{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C94152242797CF100776894D909A811,SHA256=C3552F0A4ED3253C980DA40FFC0108BE6E2606E9EBFCD68F61CDC6FB1043F7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:04.594{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75CD630EE80B948963E0FFC911B0B72,SHA256=BAA76E35CB092B7473F20EC1D38681F2FC18410DE23411C46BFD2521BC04FB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:04.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0AE686963168314B5F7F947ADED3EF,SHA256=606D45179CCBFD3818FBDBB32A56BC0C8B1F407BDA9C621995B95C77346A242C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:04.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB711C624682A3E648605EDBD242503,SHA256=F4A308433C9B1F65CB2033E7161BB8694B703BBEE05A9ADD60FBA4F6DC1DEA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:05.588{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2EF8C214371D69BEBD750058E3A030,SHA256=EF548FABD459589A03D3BE43E4E01EEB07F4BEC921459C105CF3D78554DFEFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:05.603{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2986616C75688004069255288192BF82,SHA256=B8F1E827E808EC19534F5794D2CBE284A90F55D1E7327E6D7B35142970B989DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:02.713{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:06.650{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EBC3A42934781AD883755513B99D04,SHA256=A0A0109BF6D90C5B784DFC23D0C0235EEC571D9C4E277C9C21C9A3E74CD001FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:06.608{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749C815C0A2E06ADAFF9B85C351A8C92,SHA256=8F8FBD5BC610CC6C61A0E6B4419E902F14E8AB2315C1435299C0D689C6F736C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:07.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F60CB2073D8A2863C4137F484CACCE4,SHA256=1D98A6B327906A6D2DA360FEB8CE26C76194DBFE084CE3B8E5EE5AEC759CA999,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:06.367{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65157-false10.0.1.12-8000- 23542300x8000000000000000652519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:07.625{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC411934E29547324FE94A6F2BD2D65,SHA256=EF175428FEE4A3705B374696C4D1A497D539ADE2C8F656A20B5D43F5C9F73292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:07.174{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A200CA1D0B394E7624D99EE337485E,SHA256=4DF3325C943D8771473CC97679A4D4FA69572C4385A9C39E6782B01A287B06A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:08.645{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A0BCCB8F2EE3A964A9326ABCF4DDBF,SHA256=80DF0DC25C361BB82F56A08CC0AA5A6A1BBE1D34D124AADE2CA0B053D8A67F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:08.744{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2C7A73D29072C26E194AC9D124FD970A,SHA256=18C6934277B94592AB42F258D23C596E2CB9705C89A5A0B5AB84632BBB4FBC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:08.697{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC096520E8A1906AD608339C7D382871,SHA256=3FC5293EB3A1E0D9B5AD0F6B247D643A1E7382C2E9D373B43417DB4FDF9ECD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:09.713{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600A259D4C9FDD93B7F8644FB3E8264B,SHA256=B062A9B26720F08B5F9BE13610572EEF12C6F8FBDFD09492D231F7EF1A0C95FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:09.649{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811582E818BF2110DFCD2E1715A7FF2,SHA256=68A1FDE3BC8E8005B1DC266A53AA8FA8B3BD26A7EB4058D5DFA62B51537563E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C1FD09B90A18683B07263843691EC7,SHA256=7163B3C03036612CF33FDFE13206A885B99DEB222115FB88094D07C43A9716DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0AE686963168314B5F7F947ADED3EF,SHA256=606D45179CCBFD3818FBDBB32A56BC0C8B1F407BDA9C621995B95C77346A242C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:10.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD5E54ECB5CA2B1D22812B46DC29561,SHA256=95A8614F726ABDDCF52B7F9774FEEDBE6D5400D36CFB2E9261561E2CC8B9BECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:10.675{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66AE51F2E420B3826760A56B94359D9,SHA256=FD6BA78BAF0FA856251DEE48B15D13941009A1DB929A8554A516942BDCBF70F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:07.854{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:11.775{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BB56D68D657D52DD68E502E2F7B75C,SHA256=A8F31E97EAE1E96C19A4C700862AC696AC536403381589C84DF303D27B70F646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:11.679{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3535AB29F8966A9AED3ADE1AA02E377,SHA256=4D4AF8EA1F2F8B422CAF43EE5AF66AA4B64B181611CA949691F1F92553596B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:12.791{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89F48679D561A8D84E7B4A78AA710E4,SHA256=1F6BD1DF353864252CC50C54FFCE127875CF4EDDA3E72CDFAFD34564EABF8456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:12.703{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A461C8DCB8DD10D07D980921726D195,SHA256=409423D276C4EBC0157326BBACC4A1E6C3861AB3671C987A7C0008062165056B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:13.822{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44507F6268BA83116BF5CF21830D3571,SHA256=D0ACEBE2BC697AD05C459204FF802EAA7ED5FA14077ED57E4F67CDF3C3B96786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:13.716{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190CACA44A2197068086B7228B01DF99,SHA256=6FA34D04E3D2B2B408F4756B93C1B2416D13478C05344D982C08E732D8C9CEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:13.125{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3122407173B1CE24F6B4E3A12963C4B,SHA256=E81C2194D8F8338EC24BA5B68BB2C4EEE0D796D905B09BDD51194AF085287169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:13.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=437CE1FCEFFE399987E1AFB064AE9451,SHA256=9E4A4E66C2C9E18020D99CF168E1CDBEE4DAB797DF90A35869E5EC8894AB97F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:14.885{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAA9C5691D4C69DB7E2F32FE85B7B03,SHA256=F63FF759D297365067E87675D857AEFFB7021F3A545ED6CC0C4A80EA207F822D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:14.728{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B85F1D8BEDCBC9AB2AE64DD5447831D,SHA256=FC0005B5F28223844178B69BAA9D178B23793E4D1C78574D73BF40DFB7F693E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:15.900{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCF9D71E063E7DEF32DF571E0BFA5A4,SHA256=1D49CDA6E3B147742B3CE7BB91FB1ACEBFA39B4DC62F1C138575CCBC588C3160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:15.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1338336413457C399F55A6595E5504,SHA256=0C43DF51E023051B85037587D82906A887B0EBB239449BE6C5F28C99868EF41A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:13.713{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51618-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:15.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7CB7B3565F41AEB0F0D2514256AB11C,SHA256=60B691BC91BC265AE1900F5313FA71334C09E9DC9BB11C32D472FE5D49F6E2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:15.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C1FD09B90A18683B07263843691EC7,SHA256=7163B3C03036612CF33FDFE13206A885B99DEB222115FB88094D07C43A9716DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:12.356{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65158-false10.0.1.12-8000- 23542300x8000000000000000554150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:16.916{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC42B2AE3397F830BBDC87D4ABAD7341,SHA256=419E0ED9821D377489D4F7A680ED809774A88E7BEB393C50DF5BC6AA1662AC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:16.745{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC663AEF5F920F012FFEBFF8930A467B,SHA256=82B30FF0C0897B080950770956CE6499303CCA0A2FBB24F12B813BF64BB354BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:17.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA86C9D2644BB7590A1188AAF07257E,SHA256=C1C6A6FBCEC107E67F8316B7D4CCE9BE8B4551CC3952343A9C4801C1954B5673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:17.994{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0599D943C41A384628FC02996E4450E,SHA256=8070789C42A8D6CE9807B2EA8E734CE2A756E3D39A4E2600D2044B33C05EEA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:18.150{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=463D129446C4D7E2AB13E17AEC8704F2,SHA256=976508DDF887FD7AF6829142716C903A128D337CF347120AC68C2C511007BA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:18.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3122407173B1CE24F6B4E3A12963C4B,SHA256=E81C2194D8F8338EC24BA5B68BB2C4EEE0D796D905B09BDD51194AF085287169,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:17.380{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65159-false10.0.1.12-8000- 23542300x8000000000000000652536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:19.049{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB28D2420FFB15F22266B5A5FDA33FE,SHA256=EFAA153AFEA7B2E8C6CDE3271C3E5A2AFB13579F299034977CFFAAB6E3F81E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:19.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADC17BCA429FEBCEBB6D409F7A247F0,SHA256=50796DB6037AD87BE5AB66AE9FF8CEB8DB9878FCFF4891B04865F1007044AD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:20.072{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106890C8F28F30903D50046F6C514CF3,SHA256=27941C3B531E28F3547182F1E82E89B428E685DEA6A694A077839503994DB30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:20.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A18B50EABBB8FBC106FED1C0553BF91,SHA256=269BFF45943B3DC7DBCD7C76D8115FDD4F7E26608E8CFE35EDFA6163A9BF6FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:19.713{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51619-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:21.088{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F2F6C04A6556D7D3D1299D3C141B7F,SHA256=447766303243C87F296141FA42F2167C1CEF8B780F1C209AF61AAF8561DAF516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:21.088{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120F8AE01DE8325FE74DF752D17BDE13,SHA256=62DA00704F0AE4D4AF58F618AE077AA6ABF682100830173FA75BD9AAF3D85901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:21.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0CF9587ABB195B7A9561255CEAFF07,SHA256=8125279B601F4BC2A01FF9973ACBC98C890A1BA03C720E2506F3788685FEF138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:21.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7CB7B3565F41AEB0F0D2514256AB11C,SHA256=60B691BC91BC265AE1900F5313FA71334C09E9DC9BB11C32D472FE5D49F6E2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:22.119{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF71DE94540539195296387C33C7C45,SHA256=0EFFA1FB6D8B73F42B07F43BFC5FB26012D07404517498CED6D8ADB22FF36488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:22.942{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:22.105{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87F764DC726090EB3252DA6C2E120B8,SHA256=BCD3D5C26DC4AEE4A64C956FE3EA0FB7CC65A47060404CF3456FEECB7516E49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.251{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7531A67015DD798ABC280C9E4602E0B,SHA256=4B7776BDDF11AEF8FE14E11CB7AC840078E387A9286A8FDBEB389E990331CB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.249{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=463D129446C4D7E2AB13E17AEC8704F2,SHA256=976508DDF887FD7AF6829142716C903A128D337CF347120AC68C2C511007BA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.115{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A032350433167186DC72A625CBBAEBE,SHA256=1D28303CB32EC1FF4B6BD7975DCDC708DDA14574E273027D58A13034E2F15C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:23.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462B022FB3076C828DDE6B3DC85465F1,SHA256=7B866D7FEC5384A1050AC24985CBBEBAF97F76425CAEA83D54DF1CF625993778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:24.369{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7531A67015DD798ABC280C9E4602E0B,SHA256=4B7776BDDF11AEF8FE14E11CB7AC840078E387A9286A8FDBEB389E990331CB66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.178{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65161-false10.0.1.12-8089- 354300x8000000000000000652546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:22.485{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65160-false10.0.1.12-8000- 23542300x8000000000000000652545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:24.136{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AD9A494878868E79D73BEBE2AA9D47,SHA256=4FE28B8483B4B9142655120A5607161B566DD59EF793E94D91606EF5E3ED169E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:24.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA5CA381E64A2FA3E64080EBB07898F,SHA256=61A2169F62E50E5A4C0E89A57289525C8B7C71CE42B1CD90A930E607AA0A4D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:25.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAC5A5BB62C85A1A0F66FD44425AACD,SHA256=35661A2D9666860FB2CF5CF256FBA4266208E16546DFDD91A6956FA4DBFDDF02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.587{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65162-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.587{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65162-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:25.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C645D7D9A1D15D67ED54B846617E89D,SHA256=6E258D0BF119B253A51155B32A3ABE2929314B9DBAC70F051D2803F7B8E59EE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.796{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:24.780{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51620-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDB6CB3926AEC9936DC845745DB842A,SHA256=57A69B675EB00FF2CC81AAB9D66C5AB7C1B7B90E32C95F0F9A6E7F6D6D7D25E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0CF9587ABB195B7A9561255CEAFF07,SHA256=8125279B601F4BC2A01FF9973ACBC98C890A1BA03C720E2506F3788685FEF138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2A8C52C80E2942336C4F583D97B099,SHA256=7963CBA7B4A85EB29BE6A88D0404B15EBA16EF6841D14BE80CE0D68A9F072600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:26.196{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C4A62F299297EA0AEE5FDF17BCBE47,SHA256=8FA37126BC005BA339B581CED58BD9D776EF62F7B4FB16A4F68E2FF58EB0AF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.827{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDB6CB3926AEC9936DC845745DB842A,SHA256=57A69B675EB00FF2CC81AAB9D66C5AB7C1B7B90E32C95F0F9A6E7F6D6D7D25E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.608{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.592{E1BD9FC2-69B3-609D-604E-00000000BB01}7202924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.468{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24E9F4D7FED2AC9D354E7FB5C9A688F,SHA256=2F568ADA350BBBA9D4C0126B3C26E128D42637CB9291AF4F35C0EF2692E0C843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:27.202{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596F867DA19FA6ABE1E0BC1417E22BC7,SHA256=C5D6A963E5C6927A6DC05E82982A93CF5011133C0F468BF117129934EA4D57F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.233{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51621-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000554209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.498{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8601ADBB0C37ADD21EF350FCFC9BBA7F,SHA256=45884718BCC22AFB8735B590FADEE6C28ADC2EA8649DDCB10A9C3D3A3392EDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:28.216{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35996C00A1566B3F9AD4D154D9242A2,SHA256=B2FADF6ED0E282B3323AD0027978FEB62DABBC1082250B3F5572288F03A36544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.140{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:29.545{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F90C20C8EAE8BA2601E5CFF9299F64,SHA256=AE1107A71BAEB175046B274132E07FE299F1461DF773121BDA14EE5F28307D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:29.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC87D15A3FCFE5E569B047B9352C0B83,SHA256=7597AE7898C0B2DF3204E2427F8FE5F896F44F7191BCBF98B48F2294C782C8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:29.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7790E7AF4FC211F2F5E3BAD433210D,SHA256=1EB13F430FF727CCB3D6B33A4F32890298CC66ABD1C0673F2D89A9A1059E805B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:29.118{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC5631D9733792A5CE92AB9CB0CCCB0,SHA256=6EB08E0D84DFD82980490A7FF8C4F34593570C9D43C24451F8E473A0E58F5C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:30.545{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985F14D684CBDE74D72525AC28E40233,SHA256=51408DA844CA4CABDBE150586AB9CC54F547C8E1B7518EB61881A3853CD1F2BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:28.345{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65163-false10.0.1.12-8000- 23542300x8000000000000000652557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:30.232{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA61E279D99EC1264978A37E0AF27E33,SHA256=12EF86DBDE4D12E67DC0B1F77C95D6D212DA1F7B2E5EB19F847D22674A43AFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:31.288{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F52ED66E4BF8C9D3DD3F9EE86AC648,SHA256=B1BC5396344852806FB8AF4F313036A6BF28F2D4EABE1478B675860F38B74951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:31.561{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3AC3A33245D529BD44415D290D2F94,SHA256=A045D91D3FD75B709E61BAB17343C49C5BB01893B8507DD2AD61D9DA9B599F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:32.577{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7197075CBA41AD274A56C94BCE4DFB5,SHA256=0860AFAF1BD5845812A2F25314F25DB4412A7BFF571FA39FD1288C17894FADC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:32.294{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661746FD61887A4BDDCB6109A07E078F,SHA256=C85DF00B9E4456FD3ED3D52A4F4159DDE5AEC19AAC30CFD68069F062AC0A2611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:32.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05BA6B6C9E15A8D5766C657144F95D2,SHA256=464282DE2EF20A1C78DC20072EFE954C427BF7A072F2E0480D164D2E01CFF6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:33.592{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804CD894E920A2416CF08B85FE87683,SHA256=0006B1240334C1105B84B37D6C4789A8457632EF431620FA153029AE8BD20BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:33.312{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D69971A826D1B3EE1DA11D7A5D7595,SHA256=431CC4D084645B8D3221F57798FE4B92179D332E15904DE1B64CE149486B1C8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:30.827{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51622-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:34.639{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53D0FF397235B82DAD828472781407D,SHA256=72AC09D0E3918F8291AF944B69528D1FE90F44FAE81A6DDF6EDDADF403F5DB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:33.397{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65164-false10.0.1.12-8000- 23542300x8000000000000000652564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:34.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4673360AEB3892A6EB2FFA08E5A842,SHA256=78E04638F63E34ED3E7DFA742A64AD2BD13BAF9A57D6ABB30FCF09F9940286B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:34.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF162D450774ACCC1B41413FA9F1E8AD,SHA256=EE79D06B2D9790B0996E2D99819B91C7652DBC43BF6AD38B489F21C739C91780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:34.164{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99876973730CF57351D45B941F260F7E,SHA256=3B6AEB457B50B72695EEDDFE68A088E132A28FDF8B39026EC7B44968C362F6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.655{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A995B392C2E60AAD3626AFD40AD5EDD,SHA256=07A71047C51BD82AF4575A581A2E9D71BB5360E749F38EF388D2EDACFDF5AFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:35.335{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C92A5BFA05E345C8692E3DF5FBAD328,SHA256=F3B142293328A7CE43367C78B0C0956779AD65BFAAEC2735D7F5C19D1C0EEE0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.795{E1BD9FC2-69BC-609D-634E-00000000BB01}19923672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.671{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CD47A6826E5430063AAC39B9543BA7,SHA256=80A864B55B5DB7FC4200C6AA106B23C2603087C1E73F321D3EF441CAC6D1A395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:36.366{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7388043E3FC28BF155EBA05263745BF,SHA256=80761ACD19240908983D5EABD0D91A7C8F19205BE04569E29FC97EC91C4C147D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.124{E1BD9FC2-69BB-609D-624E-00000000BB01}18723368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000554278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.813{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9809A8261A266A42CCCAE37D175EE4,SHA256=EC6663AC6476B44F420CED94D9AC941EA97C0B9E8CEB475F3D429D5653F51BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:37.373{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A1FD50A070FFFCC028D45C18CDE949,SHA256=CA5A5C396B9A9BCBC6DD1E3E471076BB629FF39C554CCA239B965C22EB183E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.311{E1BD9FC2-69BD-609D-644E-00000000BB01}37721012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.188{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.061{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE7DBD9555211A8B224F974991EA3C4,SHA256=85E98709DEBAEDE28AA1C4FA41F3057AB1180E4225CC6EE3A9CF0B18746C8BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:38.827{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB14596E8BDABF8BF56AE95E0B3F1BBE,SHA256=3A313F9EF15A6FAB71794AB7839BF1EEA9E956FB0B1378E6B821FCCF8C1C8EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:38.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF162D450774ACCC1B41413FA9F1E8AD,SHA256=EE79D06B2D9790B0996E2D99819B91C7652DBC43BF6AD38B489F21C739C91780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:38.398{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED476EAA0E52FF92427666B4118278D,SHA256=B8081C2718A45F45298C05987DE7CDB3926C5C784D9075ED8171681C5747709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:38.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA6830EA6A5E759428D1DC43710C7F49,SHA256=30C056DCD59E8F8E20CBBA559EA7FB804EAC62B7C7477A88DAC7DE600541C2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:39.858{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97E351E3B74B0938464171D197616F4,SHA256=3ADF65D3E0003940D405974E3B93B990579B21D5A17A4C5FA158B28D8B7957B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:39.418{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495E13556B0EFC92A3624176BBA2A681,SHA256=8E02607C8E4305AD15719B8742E6C45007D6E33A95AF4BCC5F834ED6CF824217,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.874{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51623-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:40.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16D6141BB42D819DB4D228623DA337F,SHA256=470FE6FB9844866E3AC4109301A954A8000B03A6D13EC8DEAEC3C9D66430997D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:40.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5CFB5EFA5D3855B9D6C53692FF2EA2,SHA256=23D838BA0500EB6DD2597FCF40EA8DB790115E5FF26E8B7406431FA34804981F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:40.108{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963E9B5CF5509E7A1BFEA0508B624759,SHA256=A52A0760214DC4969B34C8645317F7DB0D01817B49BA6DE909AF0B8602E2BD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:41.920{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628DDAEAE8D15A659C56CC09731ED207,SHA256=405287D854314BDBB197BB1CABB7478D6C79C1827DEBB7367806F27998E5FA58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:39.330{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65165-false10.0.1.12-8000- 23542300x8000000000000000652574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:41.431{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056C3F7749F239F0F549BFC3357EFC7C,SHA256=0A8F46A32276299A4A68C1E050D28EB794DF072510EF14650EE3AB6EEA403189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:42.939{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5025BD820D64FD440335A3B596CEC06E,SHA256=D622283D54D6EBA8B359FD36E5AF700F2CD81F695B8EDCA4349E6DCDC188937F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:42.458{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06CDE6DEE1B9F82D7244C495839FC0D,SHA256=2AA610517450C22AB5F0079DB08ECA0E83497652ABF72375E1C1CD6EBFCA3E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:43.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B59F985D9CA59F712BDD6C80D8BF46,SHA256=6DBEFEF9E9FE7206201D16BA2625E1D480298E5E7568C2795C305F1C19D80067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:43.462{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4193CB6270BD5DC30E66289CB26146,SHA256=88F5904460791C9D9C50392BF63A1406F1AB8210CAA617A23C822ACA8D9C49EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:44.510{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa25a9c5.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:44.477{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA2E8D0E4621973E752D421617EA472,SHA256=D6EAC4AE793C3A719D0B0C5F5B0A759695D27823CE556AAD78AF559C92538D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:44.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8C0F5A12679691D43287903BA110D3,SHA256=1640DF372EBD02B9284ABC2F65346668C156D743B161BBEB0FF7CCCEC080B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:44.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03F4F08BC7DCE797A422A74D16C0C234,SHA256=A933A74AC0072EF45BB9EB6E1D1EDE998BDC5A698203FF7C9ABAC2A49B04DD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:44.017{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5CCF6E31FFFEC84916FFC9D22D5584,SHA256=D2489D4581A8AE1D802274D60C044B3CA866D876475F9A7CF521BA47EC1C13B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:44.390{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65166-false10.0.1.12-8000- 23542300x8000000000000000652582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:45.488{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA20D5F0E124D4F0A9E23BFFD0D0528C,SHA256=3C0E5AB32C129918FC8D9F896A7443D53412B6B5777CB42306F27536A83C3526,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:42.752{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51624-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:45.033{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDD4F3F8E681B3F0624A4E609BCD0ED,SHA256=2DA85C9D4A42FBA9ABD34736BA087E27BCDDF367F039A6EED886D57A22C88DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:45.180{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1335089DC7B617CCD231B232E94914,SHA256=0D4D2E5B27EC3C20A92A2FDB0E4F31251DDEACE099B3EA562604EB87658F644F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.961{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.958{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.958{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.508{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEE2E44DC905459BBDFF5FF789AB9F6,SHA256=DDA82A9F2CE2D36D959B177723D2B4BC54229C7B8D801007F681A597B0807BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:46.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39E60FFC7AEC5E0C467ED0CB2AE5DAD,SHA256=0F9A4E3C842B056ED0B53EE2F091B32DE922665981FEC5F8F97155710E2CC34D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.280{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.278{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.278{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.566{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.563{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.563{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8908C1C774BE99511F4E7340663451B2,SHA256=DDF9FAA07528E28CF2539D77885CC741282BB061439997DB8A1CF42C4C8FEBF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:02:47.814{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74822-0x2e925302) 23542300x8000000000000000554292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5905B327A7A52C105EC1B74D0887F9B,SHA256=08159654570FCF05DC3BB60C4071A147D674B5D04A1B69F8CA4257429E7C5498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.286{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D026A128704B82155F844E47E1079153,SHA256=6FB0C8C7126A6B87035BB7C475F4F4EDAFE920FBBC8A04F0CBD1E77BBBEEEAC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.163{7B03F3B2-69C6-609D-5053-00000000BA01}69724988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.667{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7CE32115799BA68247E0049920D8DB,SHA256=5B1278B8DB670756BB2A3BA903CC79C68DF753D6458098281672F27428E05A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.632{7B03F3B2-69C8-609D-5253-00000000BA01}59727840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.553{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9643A63DF135C8F12F20DAB57E099FD8,SHA256=4E76DF7EDC5DABD9EF89C1D1EA887AEEFA741205B9385BCEE7C2564C54B11FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:48.877{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8C0F5A12679691D43287903BA110D3,SHA256=1640DF372EBD02B9284ABC2F65346668C156D743B161BBEB0FF7CCCEC080B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:48.158{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2496C805EF77FAB53D99B035795D2,SHA256=CD67315E4BF7CE36BB3604C6612749C37F154CE04587C43667BF2F53C0E5E6D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.449{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.446{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.446{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.042{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-18.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 23542300x8000000000000000652632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.568{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBEDBA239E4D898A3E8EFE1E6D82A9A,SHA256=8A28475BE590D6ACDCBCA3797B4FE68A6AF86D3682C92AD19ECDFDBFCEC5571C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.439{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-681.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x8000000000000000554297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.439{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-681.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x8000000000000000554296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:49.174{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D7CA74A1C0434A6B3CBA5FC0C15B33,SHA256=74CE77A5A2A7DCA9680A946A22662D8B1F23E808F69522F574005AB178BE0FF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.264{7B03F3B2-69C9-609D-5353-00000000BA01}68723212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.116{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:50.587{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31680254CA4070676606AB28DC2BC095,SHA256=65056114A3A10624791C268399C4B0C094F49B3E63E8D3B6E490703B93642D59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.846{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51625-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:50.189{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B2A3C588E6010D8C6BB07E05721B40,SHA256=ADB2F3CD096B92CFDCF9E8A11AE94CA640643AE19628032786AA1BCBCBCD0867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:50.121{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28ADFB7977A710FF1E944F928279704D,SHA256=7FAD760396C0821F91B6208F444C863D4B72729BFD675B57B2BB1462306B171B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.434{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65167-false10.0.1.12-8000- 23542300x8000000000000000652645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.598{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EADDE5E39ABF12C45F892FCAB1E339,SHA256=1144295D0FA7E00E577D057DF4B3F2C9B4737FDEA56679E56180142E29329DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:51.189{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96A1E75DA264A0532DB8CB2CF0E8414,SHA256=228C53E5A56995039F5BE2CB5450058564B1C930433019935476C36E40F47681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.418{7B03F3B2-69CB-609D-5453-00000000BA01}36965568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.239{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.237{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.910{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CCA849F108366447E365620B1BDAB78C,SHA256=D72FB98CD5B49CBEA03157D94938A7D2FCB558D92E85A6260A3206A3BFD52724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.629{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4611B059A53E52F0BBDA4943E0424A,SHA256=25AEA5EE0D19C5F74190233E1900E8BB1FFEBCE4BA3F21A1420786B7FC0671D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:52.205{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF5EE7AA0B2BA4406545B32BB0E601E,SHA256=10A2D733554914A63F86C4AB8ADB120B7D576E93B53711E5DA6321C352ADF1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.250{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C41CE11E16C1B5E99ED7A9508ABCC183,SHA256=1C6FD1E58340F794CB2BC2904B2927ABA4944F8408EBB1130989366CD9B0E2B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.018{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.015{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.015{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.015{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.601{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-18.attackrange.local138netbios-dgm 354300x8000000000000000652660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.601{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-18.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000652659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:53.640{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB31D93CC50D63CD34BB70244B5F053,SHA256=E1BFE175A7304B5510A942F8D6D4573824E9F6480EDBB53382FA15B29D5DF0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:53.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C16415CA5170A1259F0BD6E5D19E92,SHA256=83F6CECA7486C8295C0A367BC381824EAE6558EF6753B5F3C7FF9CB9ADB49CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:53.377{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F28100867C10F0B588D269A25205CF,SHA256=3BD0BAA4A9F2B7BD874661DC77FF77259359CDDDA41C1AB2771090BAB7E2E461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:54.646{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA6300DF319C1FB79296CA401128E3D,SHA256=4AAFF0F4DCE1EBD5C400B879D5268154938C5460B27478A6575583BB9B1A973E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:54.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B179BA905785469F23504F7636071C3,SHA256=E4B0AC24D8341129544B1CA64D1C9BDC6458E6A502D26FD7E010E6F804168ADD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:53.830{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51626-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:55.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281A9C655367C369D56CE770F5B73C81,SHA256=21F6D582083D8426346215F3E1A6D3FAF321DF70286E006B7E262089BAC7311A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:55.657{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0856C8AC5C29D848536290998FBC26FF,SHA256=376709760B3C702E06F407CD4F5947E9B2E66DE4C68B4E395E5203F3925CAAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:55.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E56558484CFC5EDCBD933A3B8D0D054,SHA256=647D6E67375C4127D7C898C23DB7AD0AC1D426B1EEC045405C4854FC691AC21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:55.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D5B4A51383CDB05AF906BB5E80F00CF,SHA256=B890034074BEDF7DFA243DF084353428AAA772FC4237BE589FF0B497A31F21A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:56.314{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0C56E0963D665658791DD1D9FAFA42,SHA256=04CE1CCE66D489B6BAA8F409FE57FB22C28282617A2D53B5D22AB69CBC34048C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:55.464{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65168-false10.0.1.12-8000- 23542300x8000000000000000652665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:56.666{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063C12C063E5E10562605CCDF637C3B0,SHA256=8A24243BF63412162991F0B5E2CD551153E9B79F27E3F164F5EC499D9BEE7E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:56.260{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2319C0445C0CA59C4CC49DF8477CA8D2,SHA256=4E013E7345699EB719846B90FF64A0A75281D2435B011D81213E9A013F18BBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:57.682{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB25900CD71C5E6E81C8249F81A54825,SHA256=24A18BC2371130FB28D751012D4AD14152B97404511421DEAD2F3415667F0C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:57.361{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40624BBB9E6BD1697F43937CE4670CF5,SHA256=B07F62FD741866F2E27CC9AB6322BB72297C77812FCC833BBC9946A00FAC88C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:58.928{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B8697C5548964CE6BD0175DBE9D1A8,SHA256=1914AB8B3DEA029C1EBCAEE54CF5C55CAE2BBD6AF16F1059974F570EF656AC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:58.694{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC1E2F0345EFD4203CB342F84DF2317,SHA256=B7E8992B453B3B0439F1E021A39353A414A12FC9B1999B2775776FC5A1FBF912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:58.362{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F12000AAC1A5765C16EF9674DEA139E,SHA256=BB3FFDEDEDE4CD23B742B0FA780AF680BFD37B69CC88D5076E21C5E792C60071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:59.707{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174BC123E32CDEFDE103D68F7BE322F2,SHA256=4C8B8F9472BF6BD1286B85672665AEF4CA300540CD5BA5A76A2076FFA6B5E773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:59.406{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B466021F2AD066C073450526C2953E,SHA256=CB99D1BE3CC520BF61D634A5A5634CCEE9BD823A469B9A99224AF6A794CC83F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:00.720{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33059F3183358CF0E16C97B882F3AFDF,SHA256=60BEF726366EBDBDE92AEF8DB0504EF406361631A6F1AF869A65C467C1FE13E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:00.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3441C854940CFA95E09D1D9A6A69B8BD,SHA256=67515BA944E83B724CBE680306A922BF1115620EF5C5B3CA3D82289F12100293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:01.726{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E09753BEED898246A5EEE025A50AD44,SHA256=8B78EB6C4CC2022CB15682C3B28229874F14C57A3A9843D0C1DD03C977D504C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:01.423{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FAFA4E76CBC2FCCA3106ADC74D6C6C,SHA256=9D58741242315083B169B2951CD2C6F5CC2ADB03E399F18185776272C8C1ED7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:01.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B75B98088BB4559DA00AA5C52F5FAA,SHA256=7AB01D61F1C07A3ED18F8D9E4BCE3D2E2EB31C97916F6B9C9048378B20E2F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:01.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E56558484CFC5EDCBD933A3B8D0D054,SHA256=647D6E67375C4127D7C898C23DB7AD0AC1D426B1EEC045405C4854FC691AC21B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:01.284{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65169-false10.0.1.12-8000- 23542300x8000000000000000652674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:02.738{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF6B48071E709DC4F4AFE96E0EE1661,SHA256=143764038106C87BD4951BA1B2B80AF69B8F8D3BE8FAB5971BC4A2B598718D13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:59.814{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51627-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:02.469{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E02E069593C0DD20DBD4E759E29717,SHA256=8B05F363F90044BFC53D00FB0FB2D5FFEA057A005810DAD0AE2AA9584C957767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:02.047{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F56E7F06A2FAF03BD315362DE7112FF,SHA256=06F61416CBE6039743930D75FA7C752980CA77DFCCDE5D7B6C79B7F08EAE9027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:03.911{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063B32EEC21C7A761D3DB840E7C0345D,SHA256=740BECB5D037E20031A46B4C4ED936DE94DD0AF7F58064248CE037DB448134C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:03.744{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4753A4661C7175635FDF04B7FF8B3CE8,SHA256=1DEEB756C408AE3EAF7B428B7502BEF2279165D0EB89FB9EBB77B51154C285AE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:03:03.819{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74822-0x381c7c88) 23542300x8000000000000000554319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:03.475{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBCDEFE1E89F97579501E9D864ABE8A,SHA256=1C7F478FA39A8DA3F30828EB596FCEEB7DC10CD570B3D971212B4A0775723996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:04.759{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5031A7F3EE93D3D02F3915F14B2D48,SHA256=ABF2B926BAE5B848D16A4994AD6BF49CDD6A76E00981B1DF9810B09B933D3228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:04.538{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2B6D8397977CF6C801B93F27D05456,SHA256=508189E99A84723FBAD2B2EC001CC6BC1EF81AA18DC65F5F242E6EA8EB53D523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:05.774{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B580E756FFBEDBD970176B2F5F3D6A19,SHA256=AE5E28C0AB39BE13B8B34F2BB086B09600337A0E7C1278F56C0E337D1B571C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:05.554{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767936DEF22080EC4490E165176974D3,SHA256=4C8A59153CA2152867FA5AC6527EB693E710113206256CAADD4532414936F297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:06.791{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BBED6C9E9EACABDA662F841E3911EE,SHA256=541A803F55FE4EC1892FD82342E0449BAC411492E0A5B77E6310049AAD8B4150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:06.554{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9934F003215CD3E9FB868BFD7A1E9A45,SHA256=E87B8FBA46AB90EF657E2CD54021F6B340099965224C6DD0583C977B70F6847C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:06.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0BF9C372D8C8819F6683367F9E9082,SHA256=00D3B531271F05B7F8DC36CD6AC94352831BE66DF42CC5480B1990FEE6046F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:06.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B75B98088BB4559DA00AA5C52F5FAA,SHA256=7AB01D61F1C07A3ED18F8D9E4BCE3D2E2EB31C97916F6B9C9048378B20E2F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:07.807{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08E75DEE90886C992B26511718477CD,SHA256=47ACD426CE649172A7C314758B05B99BED5D7A996F161B8E669A783C09662FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:04.851{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51628-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:07.585{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2524C6078B5E37A53E20300313EC5EB5,SHA256=E5A18B2D1234EDEFF03E293AEFAD05765640EF4C2EEBF7658C6AD2D521465247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:08.832{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C9A7EA88698CE748DA903008804EBC,SHA256=7648E225E905B37C5CA999CDE026AF1086CFD04CEF9F732B4E5F78B062BA9CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:08.757{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACA9EF42D205DF4352C4FF4F9331CEB7,SHA256=80156483426669A4442DEF7D48F271D0B14FE15A1B756227BF2C35FF70573707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:08.632{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C01DF01644B28C3EC597C835E888DAB,SHA256=7FE821ED443DD4E009415AF802EFCA19D7B91EF4E4724A7E80B3981C0452A64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:08.157{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9874F38BA63E863BA15E1EA36EABC0B4,SHA256=76B7E8E1EA3031EC0D145FA28BCF11FAEDE578D1663DC99F52377854907FC29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:09.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B3C3399677419C1F3B34E6FE989A47,SHA256=723AA02539AB8B10896728A58C33C87E05927D1EEFAA65B6DFEE277D1B0C3A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:09.849{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73F6FDC1AD0B1E6BE5CB7A2E6CDC1C7,SHA256=8175E44D6D53DC9BC6ED6532A22A503D4D6F024B0C179F65D8129A0A289AF3AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:07.326{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65170-false10.0.1.12-8000- 23542300x8000000000000000652686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:10.863{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D301DFD91C2328500E655FD91BA729E,SHA256=23F1F49ED16F3ABE2EFA8CBF4BB33B09BA25730236946A01C4BDB00E925F473A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:10.710{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4518B3ED10D9D8D5E8DFCE9515A593EE,SHA256=3309AD58D22DEA7108EEC047CBD2D58AAD7F67464E2FC638562CCEB725DD051B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:11.880{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BE38F1FD365B79B66D5C2D79167254,SHA256=AB4C33B20A2CD75F89AA2929AC6008F3049BB62A0F4E18988DF848652992BED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:11.757{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7ADCD2B41A8F531EC04E345B5C80D8B,SHA256=B629AA50609B3D923279570C15A3277E328FD2764FFE2EA435B1CD5FBEECB0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:12.772{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0D13A85F3455D765B0A084842B73F2,SHA256=7F5D00F5118AC44D27AC46113836017DF4F1C54F84E948262B5D6EF7B62675F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:12.888{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AAC6F33042212145F323D9D09850DF,SHA256=DCD0E32CABCB8D67711794E53AA379730E0E4E2DBEF74F760BC588071B772EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:10.679{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51629-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:12.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F011AD088ED744D54B042438F12DE338,SHA256=6273834EDA420B5AFFF2FBE58205D1BC19B123C8DFFEF1A1B6A7FCCD412DA14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:12.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0BF9C372D8C8819F6683367F9E9082,SHA256=00D3B531271F05B7F8DC36CD6AC94352831BE66DF42CC5480B1990FEE6046F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:13.819{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F61C7917065FA1B2290261AD79988CB,SHA256=24509C843A59F39847FCFBC72A0AE423E8E9AF3FBDCB736321ED0D1D319D0DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:13.900{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1445BF5A9091B156794E15E8DDF23F1,SHA256=7B3AF0D6A9DA9BCAC8CE53B7DBCE166FD5A4728718B6F633AFB410F9074E3469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:13.183{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F85C014904AA4C2C58EF89C3FA42FB,SHA256=22D09C72D5ED1973BA159563636272E5CFB1011CA90102A187AAB790069AE72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:13.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EF437154BC177362EBC16A220FDD631,SHA256=8266F9AE92A8E005984189EB96B401A0E5E186BAAACD8EB54A32C501C0A81D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:14.866{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5C9C827405326E011D3B8DCF1FBD27,SHA256=1E155DDBE6F3F6770B66AD0E329C164BD7807F76F9C8688052BFCCD26EF374FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:14.917{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A07957429743366A5DCDD4C15C822B,SHA256=5B5FD7DD64A577F3B1B6C5FB35DC0EDAF22C0AC2AE12829E1CF3C3FB7BE16705,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:12.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65171-false10.0.1.12-8000- 23542300x8000000000000000554339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:15.882{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0F4FC668B3E58F3BF5DC7D0A2AF504,SHA256=0D7FF8226170F2B89E76EAA3D520E395D4043AB7F2328E2B44A31F66C655DC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:15.928{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6449FBD9F6554B1CA996EB11C9B9811D,SHA256=B6B191BEA1D3996DCC4F4844464E8B9BDCA7CA97A39C3E8E790E5D07BCA18497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:16.957{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D083F5879EFBF3817BB0145E7719366,SHA256=F9F0A2D3DF08DD0E6586E64A1DBD3C7311902F93A350219C180ED2277BFB2C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:16.897{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C13260A2BFD950FA45A17511B627D3,SHA256=6D304A53A59D72C87B8E0DEBAF746554BCC3D7BF82CC37E3AC77933D66FFDEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:17.976{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C94A3FD03E8B556196BE98AE94224D,SHA256=A353BE71A6CEFEDF14B09C827035E29CB03D73AAC52729091C3AC6E46EBC4898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:17.897{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B417C9F01CF73AF2D524842E833130,SHA256=6BBDE971D780B1B6363DF8E92A0DA2A388C94B97A993CB7DED43033B160E8448,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:15.820{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51630-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:17.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6164DFF0F11E8F41C7DE31A867E8D8,SHA256=84ADEA329381D136822D43AF2501868657A2A86B9826A596377E24E6C8A15A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:17.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F011AD088ED744D54B042438F12DE338,SHA256=6273834EDA420B5AFFF2FBE58205D1BC19B123C8DFFEF1A1B6A7FCCD412DA14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.986{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D0D50A7AA9E52D72F66DB00654EB18,SHA256=26DD296F75D7CF0691D20D43C4E49D758F15F384115B70B94908E784A5A9EC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.940{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0205D2676A33B30A8C51E9A708040502,SHA256=1E49FC80118FE32F2D6EAA0F7AD71C2D00697A0484C5EB077F70D82940106FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.939{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F85C014904AA4C2C58EF89C3FA42FB,SHA256=22D09C72D5ED1973BA159563636272E5CFB1011CA90102A187AAB790069AE72E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65172-false10.0.1.12-8000- 23542300x8000000000000000554345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:19.007{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D62524A2198C88C9E61BFDC2E461F5,SHA256=819B860A93B83C5F7DB7C4B92C8F4358A848B271171A96F24BD0148978E6F43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:20.029{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A546517F9677DA5DE6869D380C3B5C25,SHA256=C1EC1AD044792307EA2C71D7AC7E049B98C8D4C82BD6A8FD033BD178816FB3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:20.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8CEDF1D99FBBD96F158DA1D2B107F7,SHA256=50264D0D4EC4467FDC431AA5F0BAA55469A935D8F6ECD57A2D27E6376AB1680C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:21.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1EA838773AA571BF697C25FC1FD836,SHA256=6723984A33D2D3DEE47BAF6B41FF6DF027BA8341998BFA2637EAF65905DF33E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:21.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A1C987455F725BDFD5C4AC5506FA23,SHA256=FF4BF7BFC694E72B488398A74154523C4235A22997F872532E35D62F4E91FEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:22.967{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:22.064{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97338C9B6F3A31B0CA49CE5D8EF7036,SHA256=B78C94825398EA6282998AA182C708A880CD4DB80A8FD6BBC129E89A03A2C7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:22.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F69A817843B051DF0192A782B56F0E,SHA256=311E3373CD09809B495779601523B76695722EB61561ADD7F93882B6201B07FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:23.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=690B7FEABDCD8F905DEE528F64B4A62D,SHA256=F38D94E265651E0F7DFEE035F00A85E8AE2A2C72DA4825B46EA515D978A99F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:23.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6164DFF0F11E8F41C7DE31A867E8D8,SHA256=84ADEA329381D136822D43AF2501868657A2A86B9826A596377E24E6C8A15A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:23.024{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920DB664A8EBDF272A9B078337A905A3,SHA256=F85FFE7FCBADF060B3196D465C3BF956FD8FD703A6A6EE3B0BE449925CDF76A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.914{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0205D2676A33B30A8C51E9A708040502,SHA256=1E49FC80118FE32F2D6EAA0F7AD71C2D00697A0484C5EB077F70D82940106FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2F24537D17F253E3C523AC213AFF27,SHA256=E54F5F39FABAD184001FFAD9277EE83B239C96D176BAEC27E7E2BF44AEF01E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:24.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBB47C1792341645068B65AAEEE7B5C,SHA256=2508EF42D57D37640886169755F233B0233CF34B6A25CAE645147DE33A130E3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.190{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65173-false10.0.1.12-8089- 23542300x8000000000000000652707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:24.091{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19058B396FBA0F6BE5B3B8BF9E997737,SHA256=58C3E53A2DAED13613DCBDFA7537E783A36E30F46EF4DB01EC4BC813663789F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.593{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65174-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.593{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65174-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:25.104{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409CC9867839AF59433BAE1E19602A0B,SHA256=E9152D942F4F60F8812E58F6482C8EBF048481DEE0793EF586BD44AC61830B64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:21.726{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51631-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:25.055{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5ADC1ED18224D8483A4646EF29A9F3,SHA256=C10920201A70598ACC2753EF8015C9C220E0A733714EC4CC1B4D5EAD8A64BD04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:25.058{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF9FE8AC7542FB261E376787AF3F058F,SHA256=29678FE0F456E1B7D5ACA2A9FADB18969B677A54B752C5D8A091D5AC01C92DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:24.290{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65175-false10.0.1.12-8000- 23542300x8000000000000000652713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:26.109{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D71041137DA5D78438D52760D12834C,SHA256=B65D5E526510C200C522571C1771BB5F0E7FD1B477D768F26CC3ACBA86072FEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.915{E1BD9FC2-69EE-609D-664E-00000000BB01}24322040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E5059FE4DC276FC77066CD8B070584,SHA256=1A317C25324F6357ACE43DFEFF9861CA3B75392FC2926ADDCEC031E14C514FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.805{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=690B7FEABDCD8F905DEE528F64B4A62D,SHA256=F38D94E265651E0F7DFEE035F00A85E8AE2A2C72DA4825B46EA515D978A99F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.634{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.087{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF8652A71B8D14B29F5302945490D90,SHA256=F13D9FC2ADE8E676D4D14C1A658246517A0ED4966EDF2BBFAEA31EE379A54F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:27.113{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE460047317B2B2F924E42D3EEDCAA5,SHA256=0A256371A8EC6A23B5510BA56FC5A0B6B6BDE5DD553A500FA80599E2D35A315C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.102{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B07E18CD3262B2DC8686D5A2BCA4701,SHA256=830A403A839A9AF193AF401FD6F1D4ED27A7043046BFB0582F1E7C842A9914EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:28.119{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3B9080B880DA9985BC36A3F38206BC,SHA256=0BC7BF1A8FE1F5D0486EA0C951CBE8720FB4888B74C2A3B1ADF89E689E9916DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:29.305{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7A9461905542944D3B98D71C1BEA7B0,SHA256=A7227D6AEF43DB08614DAD22B940F00AA3C8C5FCDDB56E81533E26C7D47CC320,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.259{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51633-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000554401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.837{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51632-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:29.102{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7853C9CB6DA1C68D9D3882C64804607,SHA256=8C55B4ED0851C2CAAA537C4BE387FA0B8C1B95871E670AED029ACB840207929B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:29.129{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689CB380F82C2346D9FD1262D9F7591C,SHA256=D6CB167EA39B7B514785EC49FC76F8D1A2072024619D82CB77B39AAC1D67F858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:29.384{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65176-false10.0.1.12-8000- 23542300x8000000000000000652720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:30.192{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B05B3158D433C342E88983230E728E8,SHA256=31A704D39C4711A7109EF2A5A75A20C225F4C90E0C4B256F11277154B9C6C310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:30.191{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF12233DBECB4A085D7730D781C5F037,SHA256=C1BF157ABF69ABE61C2E3EE3E5DB064E3479CBD5C8A5E9C2D0A49DE29E98738C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:30.162{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4953588B3DC68A807E78FEA791A13AAA,SHA256=932AB8065A3719D188A758C983630A897648CE06193700CDB0C4442EA728D47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:30.118{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79D1C90D14D845D50E934DE49CF746D,SHA256=25169D006273BDA33911DB6C4A94338448238E860C73F9335E6545591BE6FD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:31.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1ADEF16DD1E6E303BCD8F45DC970A40,SHA256=2C023D1376F2899D0E6AA750D05D6838DB7ED22BB0B01ED8C85760370FB9F14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:31.118{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3F1566797EE7953608B038CFF7A316,SHA256=BBFC63C3FB1DBED54389FBF72C80E95AD340E3E95887B77F8441C926F19C87C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:32.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8A95343E1FCF24F4305459649F92FA,SHA256=54BC65E3AFB893126F8D2AB701B4265557FB1EBFE8A25D27929C8BD2412F992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:32.118{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F263E32A78BC51BDC880AFF2661371BA,SHA256=35483A86D771F3406950640C6AB556122763A71973968EF7FCA6E1D404528591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:33.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB58E2650D7163CA0A41B6B87170F73F,SHA256=4C22A94C8F4B262F9630892F6B51234A630B92F999A752126B17DE4F485579DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:33.187{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E276247A9ABDBA8021AC441D939CBDB7,SHA256=C928A0BD30C3F614B883F78B85724B84659CC6533429830F33C2D84FBDC5A6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:34.198{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6496C5792F3A7698AD682B1E9E6390D6,SHA256=909C4F01492815EE2A0218BA3B3C4AA30698C46604C0799359DF99EB66AE775F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:32.760{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51634-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:34.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547AA45B0FAFA74EB5149D903DA79908,SHA256=0F321E066C0BED6AC65AEFC6798B69BF29CDA9CD007B319215EF1EFFF9E08FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:34.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114B1792AEDD50F84962047AC724B4CB,SHA256=DF69660F1BE16C479DA57E6E760FB69DFE4ACE1AF1B9CEAF9B92A62DA2CC4FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:35.207{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CEF6FB499566BEA7D76BC89F42E6BF,SHA256=0B968D275D5EB1CD47EC1755E0D4310F98BF4B7BB89F8D2EFCB91B8C8C5804B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.149{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE306BCC6C89EBC7394D6BB1E2C6F277,SHA256=34D50D3FB925B32292747243CDE7F4DE8FCFC85C8688DFFF1AF57323F1EF4838,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:35.337{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65177-false10.0.1.12-8000- 23542300x8000000000000000652729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:36.217{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBE4B7AE05A8348D05C38E5B3C64A80,SHA256=1AC912845F4CE68DF6CC85A5ABB4FFC8A5A1C5428043782B305109D05B06C715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.790{E1BD9FC2-69F8-609D-6A4E-00000000BB01}14761072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.166{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5C1BB952B8E786C8DE3A7DAEA87FF9,SHA256=772CD8026B9023DEA287A31CD2004864CB9A0D1FFF8D9A43DD057554EA18EDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:36.112{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31880CEEA565838FB25467D64BC6C4CC,SHA256=D15974F760422F545241A3B9611D776A2F4F70EFC1B6A19E2F8F997D73720314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:36.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B05B3158D433C342E88983230E728E8,SHA256=31A704D39C4711A7109EF2A5A75A20C225F4C90E0C4B256F11277154B9C6C310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.118{E1BD9FC2-69F7-609D-694E-00000000BB01}38242080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.994{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:37.224{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD07E3CCC944730701B52EAF8A2BA54A,SHA256=1DC5F5CF69BD179F3AB7B99874AFAB3CBE0434E1F331934CC80DEA009B9E42C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5558D3442D85858620E6D2AB1FED81C5,SHA256=DF200222156290E57E401AD53523E2214CF4A5B0300B66665030B18957CC8D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA82AD317B32A835016CCA2BEE0487A7,SHA256=A940463B805E60436C521562917826137F89DE40AF647933C2CD15B2A997B82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.602{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A4EAF0F9E799B81DF13E54FBB256A5,SHA256=C3D9D99BCCD16135ECBF2852031F7973997B7407182A68913F6AE3B66ECFBDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.602{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B265AC233385D6FBB0652105FACE3105,SHA256=422BE56134358745CD58749AFDBB099474FA73A6317ED954E08A8469390D410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:38.912{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31880CEEA565838FB25467D64BC6C4CC,SHA256=D15974F760422F545241A3B9611D776A2F4F70EFC1B6A19E2F8F997D73720314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:38.232{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABD7FC9B8C8363F18BCDDD8A8930208,SHA256=8D72C61F8ED843DF4F7541F80DA20E811534271C25791D659AAF628B961B91CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.134{E1BD9FC2-69FA-609D-6C4E-00000000BB01}38763156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:39.618{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4768BAC13E23EB5E191B4295A4927BA,SHA256=91F9FD7C00BE4AD96F89250D7E4746D07306EE669F274CC4062CBEA8A7DAAF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:39.244{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A44B86FC48431A7E51CA0F91AF6DD3,SHA256=7925377097F4E6882C09C1FBC9C6D390BFDB9123CDCFD381990C2E1FD53CDBE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.775{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51635-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:40.665{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D27739F422D5C03BFDB851E07BF801,SHA256=CA198834E7FBA2E2B143D1DE7F68D906B9691F48D4C97005916C7D69275D8644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:40.253{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A85A23B96897A9E1BA470848C57282,SHA256=82281A8D5BC8EFF9EB2196229ED8E0C3BA9E016CD8DD86F7FC4D34AFE6C5FF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:40.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F54B9D22691A8CBAB7E525E8F70296D5,SHA256=482F4EF06A32E2F9CC7731062CA0B13E42442822BB53987396004489183185B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:41.712{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E207BE999DF57737462CA81CF3DEA14C,SHA256=7B1352ABEC9077A4E61CBFDBD39C878455709ADBC91E04ADC0388F3CB1EF602B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:40.353{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65178-false10.0.1.12-8000- 23542300x8000000000000000652737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:41.285{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEF97AF3DE4C629B55A715FA5F97DBB,SHA256=D3AFD370199A41C3BF4C3A5772AA002073A639006CFC5A1D2BE1A63C319C3F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:41.120{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C537559D7E0E1E097CAEEF72494AEF8F,SHA256=866A269C2568440E351260C93C55C2947B34DD885346997F259F5087AD3ADFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:42.727{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C078454671F6ABDEF515FB0E220FA99A,SHA256=5141B05B4129638B62A347D4A4CA35A2537886374BD25AD96C43E31B93A1D2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:42.288{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAC254577DE7570B28C014FC20CB96B,SHA256=98D56455F3B5A5911EC7DAE71873CD67F556DAF25D48B1FFD8DD34E08A78FD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:43.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B18C169E9BD7CA1F6F231D8FF617451,SHA256=484730D66BCCF4DA33E3DE05F978663D43E6DACBF6931CD5070C9386F78DC3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:43.965{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603F3DF7A01E6D20D98EDC4F5144270A,SHA256=B6A3F500FF032CCAB81C7658CF82251CF28BA749071053A26A3D12842F823220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:43.312{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1CE2015558F2ED8E6B56D08B437547,SHA256=7054BA229B8EF5299E70B180FCED5C82EFD52DE68AC4954306AADB3B5DA381D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:44.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FE429F4105B80F83A334E9B5EF0550,SHA256=0589762B4613257ACD6CB20CCAF6B1FA85AB44E648BD056E009F83015E0BE360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:44.376{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA71A05C31613848BD02AE25A87FDECC,SHA256=4EDF12E11E1D6EB87D74DAA5ED310F08673B844E8EA32F057337D30C470DC6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:45.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9BE95780E582F75242F2E800131A76,SHA256=08606AD97D348E86417DD623CFC542446F698CA3E0357CB10CEC6BF7CFC66A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:45.379{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62813A1E5B4B2F9ADE9715D527AEC9A7,SHA256=4D4B83E9978BD86DC793003D8A78FA44B533B224B3DDC80244D7574F9054B090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:45.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BB916FC52F5A05CA977E0EDE9D22235,SHA256=A24A5DACE2638AA4FB0526C4B34D3B0721DD2E7127FC035BA3B3CDA8991542BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:45.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF4DDBA34DD1FDFD62BD5F86AA9541E9,SHA256=911741C285E70F5DBC43294571C4EC6EF2B17757CCBEAAA51F88C8C579B8C5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:46.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25BDD8258C050452ACCB00BFF4F472F,SHA256=B7C0E7E04266588AB6811260318F55581ED671D93139E8C01650B1F9110A94D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.954{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.951{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.951{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:45.387{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65179-false10.0.1.12-8000- 23542300x8000000000000000652753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.386{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2B433144550CC53FA6667D90A2EB3A,SHA256=D4C312FEA362FED9439D805C70482E9C623DBDCBA8BC5090C1DEA3F30F7D243C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:43.905{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51636-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000652752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.282{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.155{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D083C2C9BA6C6DDE58546182C9F9300C,SHA256=D771896C119C0ADEF00F792D63CED3C58FDDD955B23BC6DF4E9CFCACEB655B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:47.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA631EF43AC276734601F5CBFB10C979,SHA256=5C972B385F798CBD42919084C437F2C8C52B0ECE6156B99A5FB1312FDB745155,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.529{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.526{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.526{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.394{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC2F41A7E21C3134BC194C9353A2A1F,SHA256=FE8D70E03753C7DEA863D1D647DE2417ADF32F57EC069B8C5BEF5B8EA5491D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.296{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25057B0E13712F652F1F49E9C1F11070,SHA256=A8C1ADBFD60F1F711F88A1B579C51AAC0371ADCBC40B8A31C28D369236BAC868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.147{7B03F3B2-6A02-609D-5753-00000000BA01}67047048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:48.841{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A0C4492415CB71C075D8F4EBAFBDFE,SHA256=FB181658F45F4E89BFEC879F91F52C8B75C1E8FEBE9DB42FD27D42E4D76C2F3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.654{7B03F3B2-6A04-609D-5953-00000000BA01}69764316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.539{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C166D213840615BA6FBA16AA0D3D073,SHA256=67FF25CF7D112D707D65E6E930981369172FACB602AD0DCF81DC657CDEB1BA6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.462{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.460{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.460{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.400{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775BB056444EE95E7BB2F90E5528BEAE,SHA256=A5DD2BDADDC0A1019608ED82FD5A53E53E90EDBC25C715634D7A78FE47D54D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:49.843{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD1D9D9C28AFA305DEE63D57D7D36F9,SHA256=A54F650317A6309920AB0165489266842535EC516DE7F39B91B20858BEC88B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.688{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79DA9C0C71EE96EF21B04A11AAF99E9A,SHA256=0E1F1A0C08C2FE6BC9E866EB1C61EC4AE18D74419A650C30F8AA882DF18303DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.412{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2746AAA068ABB6E63FEB9C65B2124D5D,SHA256=99EE5AD59162C53D000455003074CDB1848D04C1443874E1F592427B5AAB8459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.318{7B03F3B2-6A05-609D-5A53-00000000BA01}41647116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.129{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.127{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.127{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:50.858{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9761B090A9433214048DF8B75F30CFD1,SHA256=BE599FB393FD95319C133425BF607DEA4277FF816DC1E3030FEEB798691DEF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:50.417{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1996DE1396567BC3905352C37E1BDB,SHA256=12193BCFA1FEA87D81B998952E9D23C6B1526BACA1EEB1552E0A3C397F768994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:51.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE17212418F65ACC1B3037C1212C6F3E,SHA256=3F7A2153CCC357ADFCBAA3B362C9D27C535940D164BFFEDDD7E1FC1C1D2536B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.507{7B03F3B2-6A07-609D-5B53-00000000BA01}77686900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.431{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364A58BEFC090C6C46F63B56600D3990,SHA256=53F5C207F2AA8EC245560496DD9DC93093F1EE48EF231ED7EC2F3069A1A21F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:49.750{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51637-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:51.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45ABF2617305D498DFBE3C491B120C43,SHA256=F0FEB0B5F46F556B805BBB985078C2E5162B85E1DC7C821C7105E0FD5E76AEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:51.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BB916FC52F5A05CA977E0EDE9D22235,SHA256=A24A5DACE2638AA4FB0526C4B34D3B0721DD2E7127FC035BA3B3CDA8991542BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.256{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.254{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.254{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:52.952{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08266722FA56CC7F6B4B26AA1558268,SHA256=6CED14D5B89D9B63866944EB5103F9A21F6D547C4EA2726BA03E87155F545EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.920{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=160D6E475E755852ACF91DBE814319FF,SHA256=03A0469FA036522F11AE6F64EC4ACC22608C390D24750EA674B27E2E2894D96A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.406{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65180-false10.0.1.12-8000- 23542300x8000000000000000652816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.448{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21098DDA7F01E2EA25A416D52633AF33,SHA256=E6A796C1A7EA52B82E7FC677E25C35E0DABB7A24ACBA5C6DF229B00AB0C88C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.193{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2FDBBB3F251A498757E1FC789DAFEED,SHA256=61B758D8C930068A782BD0A3C7ED73FBE5EC0FEB3059CEB19A5835EFB9B14EE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.042{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.040{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.040{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:53.464{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F6BC497D21FD114B07E17D22D76B16,SHA256=7F1BBA413C865D0E33CCD5ABD7E6676D16D8687611BC933512ADB59D2250A2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:53.232{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABD5B39ACBDD950FF5E24D8B378AAF6C,SHA256=1108F4200A79AAA23E8491275935FB471740273E3049EBFA3F90B3406048272C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:54.811{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-472D-00000000BA01}4204C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:54.473{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55F176AFA80DAEFFC37A01940CD7627,SHA256=7EEA413908DD1BCDA7E5CCC96D42BDCD86CB7A36BE71F0FE2502DD03EAEE5C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:53.999{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34D07046BB74224536451F2B07D8181,SHA256=936D0CB60E9D3D03096B41E7C6910B20D971CF1D50FE2A95DAD106394001780B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:55.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E77FC1BC40004192B7AF389C8026452,SHA256=4D8C03CD1D5B00E3152BF98FF1C3538A319DE144E5446E48D1F0A177B8C5318B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:55.030{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0FD59DB0E6A5EECEAB2B0A67076BA4,SHA256=EF688512F83903B94AE078D6C76484B0C1E8CFB59D67AAAACDF29FB587125868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:56.492{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33819DB54F0D4DB8704036E3E0C456C5,SHA256=6087115B9E2FF50FE8373D9B15F137C2034768D08EF93BAAB620119C544DFFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:54.797{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51638-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:56.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76EF3B7E96A9B5CA5FB90AD8367143CE,SHA256=4F2603D37984D83AE57ABE8DF2DB4C2021EB309987F853B15B5F2224CBAB1ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:56.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45ABF2617305D498DFBE3C491B120C43,SHA256=F0FEB0B5F46F556B805BBB985078C2E5162B85E1DC7C821C7105E0FD5E76AEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:56.046{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BA65D97B5EEC34D42A12906B833F31,SHA256=FCEE14CCCDAF821DB35EA239700BE9A142D97062DD8AC63B4FA17B12BD1D8FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:57.498{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB83FCCA1A7C86937D2CCB321F1DE03,SHA256=D86B5F7342C2AF6A7A9FEBD9218CD093514F0A7F8BB5A88D646889BB84265331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:57.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81F70B829AFB64A8837B3D4FB4301AC,SHA256=7FCE73EEFC0ECD99858ED2E829E9A14B4C35A0AC89AFC76B7C6438953EBFA3E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:57.273{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65181-false10.0.1.12-8000- 23542300x8000000000000000652827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:58.506{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C6EC7BB3BAD8ECD54E1389EB6692A0,SHA256=0E89FA1FA437C4A1E19299897798B11B2C4AF8A7AFD9096E14827951B44B0AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:58.093{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A887C62BF225FB6568BEFC2A267914,SHA256=7592A165F32706979456173108F798520E98DC6BD2612045A76ED95C1E4BBAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:58.042{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C64E0ACAA32C8E834ED74047374E8DA,SHA256=C4CD2E1FD2FA6FAF91C9BA48D66B8278FFDF6E216A50FF80F79DE96C47B3112E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.858{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C4D221C7BA9FF0E83EEC97A336DBBC,SHA256=C6FA14BAD4CA9A0965A93FBAD642EC171BD8ED0B12875B4C50A805189194B5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:59.108{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558F65B56527AC338DA2E33597343F9F,SHA256=5933154FEEDECB2A904E387FED1CB074A8CDE0D0E0980BE82DB0B5C38A18907F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:00.867{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B5989A340F5D572B9544B3C5C726B6,SHA256=8CFC0172CACA4A934FB1F8D58017D3D9F63BA05F7459E06B33AAE5144B3E6934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:00.121{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87CBEEF16546DDD7CA3E9631A6DBD30,SHA256=8847402267A969FDAE98CC8A723432E551800B3F6F1FF023AFCC6306E9A715BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:01.875{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395F9ABF76BAAAB19BD2B9FDAB88CB3E,SHA256=ADB6E0D7873D2C055251A6E71A2CAA68A485D7E949F409B919BD838F1DB71917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:01.263{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76EF3B7E96A9B5CA5FB90AD8367143CE,SHA256=4F2603D37984D83AE57ABE8DF2DB4C2021EB309987F853B15B5F2224CBAB1ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:01.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8E21AF471CB4AB2A7704E173926EAD,SHA256=2087CE830C7B3C3B3EBC86D6B40D621597A7BA7DB038DB18B01EC594E7EB6289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:02.910{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753ABC3AFBED18FA92EB95A7DE130C88,SHA256=49D2BE1DEAB34808B3BC9140726C6DF56F4F2B29B32F232488616E8AFE38CE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:02.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6098A41C7CCBE47D072258651CDF686E,SHA256=0F3CBD49AD2F580CA54573E7E1E73CDF51E1333B2061D7FEF290CCC69C08F934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:59.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51639-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:03.205{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210D5EF4FDA0FA0A27DA43D18EA8C634,SHA256=0DC402A120AC2CD9B77B1B1C1181659FDDDB0EE4722077EFBD8EA92D65A0B117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:03.941{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0F47694772CCCC30330FD4B1C560D2,SHA256=8497EE6960AF36B9928D73C0C31BDDD5BB9BAACA32796689D6A35194C8B157C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:03.938{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A68B114B293B32192AD274986DC8B543,SHA256=D16ED689F2AAAF8E7186077AEDA89DDEC60C5E8CC7C37FAE1DFE318F71143671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:04.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6352891EF95689D78888DF75C1D5F4A,SHA256=5956C469FF8463CDD9A9232D3EAB3D540263FD213F48801CC1D73E19D4035436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:04.142{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93A87DB37F974B280F925D78248CA65,SHA256=B9BE2BE7D51C512BACAA4024391F6AEF73C80749B5C442A3076331599D73D997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:05.252{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3F6A3A850EB0A1F48223E91E96F95A,SHA256=CDCB9A2DD89947A7C2ADDDB07AC7610C52B95277F02F68464B82B03CFDE1D062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:05.158{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6934BAA92FDE2258EF7CC8E95B341E80,SHA256=387466EF07BA6AC63DD3BB720CCC8B4394309D9159F5BD16BFFF1C2ADC9D265D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:03.291{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65182-false10.0.1.12-8000- 23542300x8000000000000000652869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:06.166{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AC0879076DDBCF7B432F8CB574E1D1,SHA256=5BDAAC8FE9B45FF434EA0B9D0E52C9A78969C56B2C63573178C23A78C3D6DED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:06.268{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A67CA9B98E18402C0FEB60C3D32376,SHA256=48443E1EF47ED4298D2726D1418E2AE142B2A327C9D35491A2001D0D65668852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:07.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB41689AB0C2043BE75F10D9EBB209DD,SHA256=1A1A9F3B5BC838FABFF7F65EC8006D3F5EEAFDD1E2829EFE2F158BB16048FE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:07.346{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93B9BB96CBB43B0AA3EC7C5F24B569C,SHA256=6EA915BB31ED7050A618CDD057898DF774DDEC3544EA516BD4BACD676FED8A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:07.080{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9CB77FB4F572E6E3D2249F3ADDFFAED,SHA256=6AA866959A7345B4EA4750FA4E95219FE28AEFB867642DEA9445938D11F25592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:07.080{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9AA87B6ECB31B0ACDCAC61330CB6A7,SHA256=68F52D7BE34194E29C30A0ADACFB67A46F49593DFF06FCFEF885A07737957D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:08.768{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2DF639181FE5928DAC915B4EB67FA1BC,SHA256=03B6F1F1C5907F88E894D517776980E4A411BD188D7363C3976857C58ABDE67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:08.393{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DBD7B4337821A9F6B7895975199CFC,SHA256=F0DFF155198ACB1DDA88B9BD14917A62908585B35E04883E5E87C4123295478C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:08.231{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB21918E2C10BD0E5E048EDCE158219,SHA256=C1D6FADD16F238D576BCACF75FCA1C801341BD314087AA2118B4CC5D2D059179,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:05.706{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51640-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:09.424{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F654C78E321B86D4257E7B567E6CA497,SHA256=306077BB98FC6BD7D9424BC8B7E8D37F4FEAE748D943334A8C56812A200FBDE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:08.461{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65183-false10.0.1.12-8000- 23542300x8000000000000000652874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:09.249{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE870C2FD713711BEE6CBD54B7F0074C,SHA256=3D4FF3BFDA486C81E8D9D70AC77603C39786BDB911944EB504109AF05F2B77C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:09.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7132E8BCCABCABAB59BB1BA2B2F9EDCE,SHA256=D1BE0A76B7532F2545BA2D06049C95552C6145B4F913899B3D0B384E8A8864FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:09.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0F47694772CCCC30330FD4B1C560D2,SHA256=8497EE6960AF36B9928D73C0C31BDDD5BB9BAACA32796689D6A35194C8B157C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:10.424{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992B270B66257128D6112E8FCCAE6925,SHA256=7D80D4A226036E534317F7B376101E281F8D9A3653072E767E965FB71FC0F8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:10.318{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440DD3D5965D772939DACD7E95E070DE,SHA256=BB37DAD6953A63F91CB21C1C51D934F866B7CAFA9E9D521520DE3D0DE588AAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:11.332{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F26DC9F4D574AD71BBA2F9AA71B7855,SHA256=0E034A33AAD8AF2D489E3FD67EEC9A3A401469AF794D43624724D26BD6D24F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:11.439{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E128D149CEE1E1F12056A5DE84AEA1,SHA256=7F6B131DE1ADB44E27D79A6E5078ED3EFA4367460182FD29E28874660FA8D081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:12.439{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2E50B0D6C3EEC1433DC23DE29C2E70,SHA256=5311224D9A74C4FE8FDE9A7F5CF5DCF636537735AF7AF5903880F3E96B961BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:12.339{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF918820D949E3FBC2B1CFAA47AB63B7,SHA256=1B5003626A4895AA471E2869D06F65892EFAB321F47EB77162C030CFB4AACB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:12.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3D2CCFFCD1FCAC30B9F34859C91EC3,SHA256=68918AC25849834D1EE00A0EAA91A7DCBB04392CD9FD843E6C603CAD46F1CBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:12.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9CB77FB4F572E6E3D2249F3ADDFFAED,SHA256=6AA866959A7345B4EA4750FA4E95219FE28AEFB867642DEA9445938D11F25592,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:10.815{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51641-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:13.471{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BC6FEE49A82415BBEAF745105EF750,SHA256=F0948D268877ADF2C55371433EBACDBFB4DB29D7EB64AE046BCD0E344D837AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:13.353{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B399D6F8E4C0FEDD1CB2C94240CECC4,SHA256=C52E46D0D03E9C8CF8043CCEC7A789C1E6696B4672AC7357EE45FBD378AF7E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:14.486{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBF3AD8088394482C7AAEA50FE7AD3B,SHA256=22BD62F47BA5E3CEF56736083D3149B14FB8768C88FA2BA07F38634F451F8A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.364{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3487039B46233ED33B3D2628BEE803,SHA256=A9DF43A51A09243CE9F46AD467F7FB440CAB4E4E57A3BDB86C73CAC851FAD988,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000652881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.144{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000652880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.143{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=849CFD52132F283700363D6F06EC951F,SHA256=9DA6F7EC41EC5759D765A1C52BF598D77A763446E1BFAB46A1C4E5368A62AE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:15.517{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF91011B9A9D6E7CBC8BC8DE539A9C1A,SHA256=3B64D3CCD01F78C08981DEA4870A68692C0D57AF0C90D2A759C2740BC831A8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.896{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\security_state\data.safe.binMD5=765B3F5937F3C6C41C3DEBBB42CA4747,SHA256=8A52C9BD31128870C6413EAC0B81DE89A097EA3BF86CEFCB6AEE29CFAE7C82D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.822{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\security_state\data.safe.binMD5=765B3F5937F3C6C41C3DEBBB42CA4747,SHA256=8A52C9BD31128870C6413EAC0B81DE89A097EA3BF86CEFCB6AEE29CFAE7C82D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.421{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB1715953487F5717508D2F1F1EC779,SHA256=53FF71716630DAB055F8C8241D2E66B6F1BFF029A2AAF40A6B38D1CD60551568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.421{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597BD0FCDDEF994AE55C57AC0FF0C1E2,SHA256=9D7D9C1CEEB41C85026592923453AA7C24FBFF4489E11FD02E0CB0724211091E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7132E8BCCABCABAB59BB1BA2B2F9EDCE,SHA256=D1BE0A76B7532F2545BA2D06049C95552C6145B4F913899B3D0B384E8A8864FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.457{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FA971AC042340D9F692E887F5533E5,SHA256=7E1A8FA0289F7A00CFD708CFC664558283297A03767B927A1C300BE81BB00C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:16.533{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5745D57A9CC64D543E577CAE7D92EA,SHA256=36A0B1DDFE49CF74C771D4646DB561A24D97AFDC1041F0AACE7C48202C8F43DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.402{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.268{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597BD0FCDDEF994AE55C57AC0FF0C1E2,SHA256=9D7D9C1CEEB41C85026592923453AA7C24FBFF4489E11FD02E0CB0724211091E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.139{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65185-false52.84.169.62server-52-84-169-62.sea19.r.cloudfront.net443https 354300x8000000000000000652892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.431{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51429- 354300x8000000000000000652891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.422{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local52392- 354300x8000000000000000652890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.369{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65184-false10.0.1.12-8000- 23542300x8000000000000000652889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.164{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\security_state\data.safe.binMD5=952F2DAA7DE56128EBDE4EB0123D5006,SHA256=D0CC8E8F64D42230BFADB7852F0A2FB94127BB9D491F2F8EE9BD11FED4E1139E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:17.533{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BFE391938BDBA7ACD858858CC7BFB3,SHA256=2AC29B449851EDB8EF7BA1B9820F6A0532830CB0575B07613724F23DCB06FA21,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000652902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:04:17.786{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000652901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:04:17.783{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000652900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:04:17.783{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000652899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:17.511{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5869A10983806FC4F0BE7DFDF1502EFE,SHA256=D574DDFC215B6C21ECDF635EBAB8464591AC33EE97DE6B1A76E2CF49A6D6C178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:17.436{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\broadcast-listeners.jsonMD5=D7730DDA6E7759262F5C6DCB4572779F,SHA256=F92E4CF9BDF5109F7B353BB675AED29DB3BD48563ED52E70031ED54DE2B0DC6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.507{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65186-false99.86.33.56server-99-86-33-56.sea19.r.cloudfront.net443https 23542300x8000000000000000554530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:17.330{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F1C0ADB9235718CE920F463C2465665,SHA256=C49AC0BB804A7FC899288FA08C53055C927BD7522FF856C6CF66C2625B49AEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:17.330{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3D2CCFFCD1FCAC30B9F34859C91EC3,SHA256=68918AC25849834D1EE00A0EAA91A7DCBB04392CD9FD843E6C603CAD46F1CBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.890{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECDA9E747E8F7670CB9B9618036C9886,SHA256=F39D96ED8E0972A5A007C59934D240FCB934005A4BF850CFD205599FFA40175F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.516{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5E7DFD757DDAF144CD285168B31128,SHA256=87ACE183DBE90637BAF6652A96E9EC2617DB19EB2D235B3609776CBA3212D343,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:15.894{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51642-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:18.596{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2977F5BA439EAF61C11E5780B4DCCAC4,SHA256=11720BDABFF641D201D67D22DE38CC535D77432BEA36715FC4CAF88FC520A1BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.339{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65191-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.301{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65188-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.299{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65190-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.298{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65189-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.260{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65187-false104.16.249.249-443https 23542300x8000000000000000554534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:19.611{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9621346ABE5D69B9C44325F66E0506BF,SHA256=407D20065DADB83308AADB96FD8BB3527D9E923001F8AB63B242DF10AE554BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:19.558{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EDE3947B69193EF3BC150A10A23C19,SHA256=6C8DF584EF44C00B85A236511982352DD5898CDD000E6462EDB65517AC290BA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.035{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65196-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.035{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65196-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.028{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65195-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.028{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65195-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.014{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65194-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000652910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.014{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65194-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000554535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:20.627{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE4FDD75D5FC9CA1EF928AFA5FAD5E9,SHA256=0747959C84592D340FE32EBC26EF89B498B6DDF986D236D596D3B388BA86FBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:20.620{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96B2E32A47FD1E6B90A945251F5774A,SHA256=1939E602B5441EE536009E099018E42603BAB2D6FBAC360211E8C1FB60D869FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.418{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65197-false66.203.125.12bt2.api.mega.co.nz443https 23542300x8000000000000000652920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:21.629{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550A8E48533FCA1ABD1B6C732F153B58,SHA256=B9AEE1388E293DC7B716A3EA42F550DB82D61E618D3C418B698B03CC9EFF1BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:21.674{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0481167FCEEB6E25B5EE0C7C62F7B89F,SHA256=209C42B147A98379664BCBFD1D10DDB7FDE54E57329EFC0CA1D3D39FDBF3B463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:21.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35272B757B13CE67BF18FEFF74165F55,SHA256=3C7D6369574DFAA096FFB6BDF3BF242E36285726B02FC7B634791AB87F690F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:22.653{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B90AC6A190E9395C05727C09AE69CB5,SHA256=6DFDF97314FA3629E36ED0CD53B35CFB320CD7756283FBAC3A9AFA6031947214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:22.674{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648DBDDA094CC0C2B2C4B17C6D04A9BB,SHA256=473585AF65BAD598BFD341A99EFF522C6C67A53532390296F7FCB15D4017D51E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:20.358{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65198-false10.0.1.12-8000- 23542300x8000000000000000652925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.948{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF42E0837030BD0BC70A399912A37033,SHA256=6465908AEA5E6B48ECB238EFB5C389BEF262668090752D5AD4F8D44863C5E405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.668{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB76C9B0419AAD392AD3DDC97FF6828D,SHA256=EE5A4AAC6A0293E1E4600B45F79BF3071AF9E1D828BF9958957CD1FA95B5148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:23.684{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566D9D8AC30A8E28A0F332ED2CFD2CC3,SHA256=50B3CBA1C2CA1B4A76525D8012E7115B010F502A37F2D082730B872B21B8262C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.003{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:23.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62702D67A36871C5008B67C065B81F0,SHA256=7C5A08BC338FB027A46A7F0A5765D3CDF81B0E2181A4502D0F89ED8A80CC1647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:23.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F1C0ADB9235718CE920F463C2465665,SHA256=C49AC0BB804A7FC899288FA08C53055C927BD7522FF856C6CF66C2625B49AEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:24.692{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77986AB527FD313D54A9B2DAAD2F8E4D,SHA256=0B575C15736E76D4C5D60F95107F9AC6F832B56E10D683F27455AE251ED5572C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:24.731{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37834FEF05D7CFB1A64536061DD620E,SHA256=041B618881283BBECAC048469D1E3F14C02DF6A7205093A9EC72A333C49D0A34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:21.784{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51643-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:25.746{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8A116C6AF48D0253520FA6BABE3C36,SHA256=6AE63E083B527CB6782EE94651F7A07EBFAE9C4A9AE5AFD58149211D1A070D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:25.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9CD18341FAFB887AA36F8671202D85,SHA256=AA1FE0C5ACCC3D1690985A1A19F8C0606FF8C52759A2DA91097C82CA362AD38A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.598{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65200-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.598{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65200-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.224{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65199-false10.0.1.12-8089- 10341000x8000000000000000554557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.810{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.762{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A357CA03B68B7DB4AF39BA081661B77,SHA256=574FD538027EB44B17B22C5AE6835A19D14949F36D58C28932AD411DC8CACB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:26.721{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B562493611E380018EA2E44A4407CA6,SHA256=28FADEFCBD8D4077BC404B5CED1DF128F716564879DAA400B6165C5113A2DEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:26.673{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=522DF31CCDDEA337B81FC89CD94ECAF4,SHA256=DB70E1978FDDEE10201E7F695379CABBDDE8F36E265CAF4BEAE5B1BCBFF6F30C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:26.223{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DFB58C2475A37AECFF3FF6E292C9770,SHA256=1134B7E54B26DDF1ED6178FF986EC5771EFE5CA692AEFD4757657323DD89A781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:27.763{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6411E107496C8BDCC778F43A62EBC9,SHA256=F4F61A31C1E71E34CE21943FDFCACC134FD2F0C2E27C7A60FF1A983585F895CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.653{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:25.464{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65201-false10.0.1.12-8000- 23542300x8000000000000000652937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:28.775{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8285F6BE337B1F8A8FC405CAADFAB39,SHA256=56786629E9C89B46DAC5BB341B7C98C85535BC6BEFC33B4C0CFE2D47155439FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}40401188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=845422C5EA447E81267E036C66823E44,SHA256=16AD1AE8EC44EE0C7BACA060C947AD86C036B8797F4A3B449144B68E2C2118F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68242C26786A34EE8A1F467618299738,SHA256=7DD75E30A7FC23C5465159F1071CC6528E46AA8E167EA399906FECF54FE315BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62702D67A36871C5008B67C065B81F0,SHA256=7C5A08BC338FB027A46A7F0A5765D3CDF81B0E2181A4502D0F89ED8A80CC1647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:28.340{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=496DE726D213B2701F04E5AE54E6CA70,SHA256=5FD18893659B97138ADAB64E04927BB862581084A1AEF92A46E4D99C0FD2408D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:29.922{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=953A19B36EFE04DA14569AFB14F19D9C,SHA256=B6CE2341C80BB5D27D5F5239E7394E25C39CB454EB61E35C68AE733C578E21E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:29.792{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D026EB6E91CA1FA4D59C508CEF831FBE,SHA256=97E77F3E163B07BDB8DD09C60C3E5EE2B0EDA64657D6412582EA98101F0E6A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.279{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51645-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000554591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51644-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:29.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2E44F92453EB23873987BBDBF994B1,SHA256=9A2103AC8216C808447B255A2A976086778D37BA52025A7C8603E458C2D4C93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:29.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=845422C5EA447E81267E036C66823E44,SHA256=16AD1AE8EC44EE0C7BACA060C947AD86C036B8797F4A3B449144B68E2C2118F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:30.830{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72365F0BBB3F4C01865B5FF8F11EFB4,SHA256=78C76536321DBBF098EA551C321793999B6ED52A802E70B76CD088C293BD7D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:30.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F757034A9D759FF0718F41C68BE4EC,SHA256=1EE0704AE2E800B5A94B252B8FDE69968FA1D75F1FA2DB1AD1656B00BAA2DF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:31.850{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B63A64D6B29B6EAC608B1D59A91D1E0,SHA256=34F5454E531E3AB12045A5ADA2F5228501E4BE9BC6CCF840C650C5252FBD078D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:29.335{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65202-false185.70.41.130185-70-41-130.protonmail.ch443https 23542300x8000000000000000652941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:31.240{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5A74CDA99E9DF6951375E7C0130F7B8,SHA256=7629F46A8D3BD586B6A9ACAED5E230906DED6F7CE5B04E508CEA62A0066A5F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:31.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A020C2F94C8B64D71FE80968B9EF09D,SHA256=38510DF79FFB4E5C9E41899ECE14433C101766CA3A6C650DE8310BAE3ED63D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:32.862{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0F227513A15FE79FA1C4E40C9506A7,SHA256=9FF4346FE645EB5FE9CB0A0575377DD3D582336AF7A5BB6395CE5AEB1D8EBBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:32.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B59977BDA792EA4C26B840E16E77B66,SHA256=9EA251ED3A557088021072436DECB9D23A6568A267F38F1ECB9A72FE7F7D3BBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:30.471{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65203-false10.0.1.12-8000- 23542300x8000000000000000652946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:33.867{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB4ACAE9A8A5DAD7AC5B27AEEC73AD4,SHA256=72BFF722EECD1A626AF365BE0F3B43D8551CC5DD21185989735279A96DC95191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:33.215{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C4AAA3BA088256DCF81800F4C782BD,SHA256=32D81152DDCD8FDEA69D7BB2F7F275690BD654D240B82ABE5AB49C710D17B649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:34.982{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B28F5A03EF7D5735A209D08EEF71C6,SHA256=26D7A8874735E170CBA829B0AB387F3B71039C43A302D56830ABD850937DB13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:34.293{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0A03C0AD60EF08D7F12B3280BC4E54,SHA256=28251B8EA29E90AEC435DA8ACF0CCE83E6F09F528C640BD9108E884D173852B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:34.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F31288419179D13F5CBA82BECB97CC8,SHA256=02DB260A9F06AE3D8950DF68D4F65E423B94320A1EE3D9D60CF628724710B76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:34.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=892A8DCD3BCF4AAA207F78A986600B8B,SHA256=217D32D777E60164C1B7639DE47E8AE1BC79187FA890AD3D4F38F7303C26FB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:35.993{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517E7FA166726598D070C5F73E941696,SHA256=ED0C4DF2C11888AEB36F4629C4162B98B2850CA2CBE11F7165D5DD9A2DF44E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:35.324{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C7E7EC721BC2FCD61CED5843608187,SHA256=22B47B8EF03474E372289F990632C0773158BCE7C3E8D0C601D70FF2B11EC2A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:32.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51646-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000554630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.809{E1BD9FC2-6A34-609D-714E-00000000BB01}6162016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.356{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3744CB1CFD73C03D261EED259119F24C,SHA256=754253CA1A92D82D48B43C3605AB530219681407217171642BC0790FD3FC638A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.137{E1BD9FC2-6A34-609D-704E-00000000BB01}32921464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.013{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.543{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4467895D4B094B5B7AFCD57FF49C89,SHA256=D207E410CC135F447CE81239F0B8CB4B1226A519A4566CE6B72CACDF7EF1BC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.481{E1BD9FC2-6A35-609D-724E-00000000BB01}3904736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000652952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:36.357{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65204-false10.0.1.12-8000- 23542300x8000000000000000652951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:37.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C156C8FBBB92BE087C1F0B4BBCF786FB,SHA256=5520229DB9E6AB51A7D0250AD3DDEBCB7A5AAE7E726D0F0C7A98DDE0D513141D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:37.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD526C60424210CB4F946818BD4548E,SHA256=8A218F91B7ADBE2F1A6274210A7638E69CB7EE8A405A6027797E10C2896E87A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:37.025{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187AE83765780982DCB21A3FBA0A7B1D,SHA256=B55ABDCE70C2BECF687245EFE0873E123CAC7C072F0D3E6516971E511980859C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.028{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F31288419179D13F5CBA82BECB97CC8,SHA256=02DB260A9F06AE3D8950DF68D4F65E423B94320A1EE3D9D60CF628724710B76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.481{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B929C4997B483D094A1A932FD558C9,SHA256=5D06E31F5C74591DED1614167A1F2F61E3C61D09A4CB98B74F5CDBE561986C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:38.946{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C156C8FBBB92BE087C1F0B4BBCF786FB,SHA256=5520229DB9E6AB51A7D0250AD3DDEBCB7A5AAE7E726D0F0C7A98DDE0D513141D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:38.102{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA4093E02643DE4063525847E336881,SHA256=3EE2F836A93C73BBF906C984D79D3B89897821DE9B6CA510C1F5EB4FE11F9A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.371{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=324BBEEFFDDC21CB5CC76F3737901C0A,SHA256=AC0DE5A73E0900C5FCF8ED105768AC275C6EE06212C8573C953AE69D99981855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:39.512{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6950FF1D3F11D8D49F489757BF11F20,SHA256=E8378AE2C2B9864D890A5CF3A3636CDEA641160E56C8D0A7DAEDACC64EBD90F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:39.125{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BD2FF0B3C9625E7C68B648FF55116A,SHA256=26C3F083E9AF1E71F4908B8744B816C21FBCC57D9561D2F6BA4D7426C9593FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:40.528{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AB7D7BBD71AC58BEDFF2E97BF78E4E,SHA256=DFB2AC4302DF8494244B01452F682C121DB4804ED526119571FD9FBD36F25098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:40.143{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922EF7A5899DB4E36EC8A4132FBA7373,SHA256=669035C80D6930DDBA062F019E063374BCE7F60CCCAAE216F2C99AA7EB9732E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:40.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F709DA3E503EED9CB1F1C981C78F2667,SHA256=885EDACCE628D1E1005E28635934D01C4D4B0A7760242393EDD032378669AE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:41.528{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C9724D446D0972374C5BA04792099,SHA256=81E6061DD5D8F41D81E9C5598D93620E17B7F945081422FE2E58EF77E146787E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:41.166{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0EBAB812FB0AD576AA3C33ACCED28E,SHA256=FAA1BAE2D1972948B8E4B5B2F2DA37855E4DED0BE5EF4B142524A29321B8BE93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51647-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:42.574{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897DA6B0B1E2F089F25080B19A730B05,SHA256=873F5E9EB2235AAA04746C735601A8CDB444B4D19BE95B5DFB9AF9B69266992D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:41.431{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65205-false10.0.1.12-8000- 23542300x8000000000000000652959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:42.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C47F9DA6513034F00243E53470CE4D50,SHA256=C90C541E3E53036663178A63CCABB2C535BD6DA827FA210B3AD5C5177F007053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:42.183{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F45CD74FFDD57BA1131B96D87CDC9BD,SHA256=3E3AF384DDE3CB4935D6CE0199DF7A7DBC0B3B652ED6CCE9BE428B43BCEB418D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:43.607{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8255C07CD682B65C348D66128033B3,SHA256=1E8DA439B01A26EDA70CFA5ADBA32BFDEE637D5491FC59E78C966B06F3118DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:43.966{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=411C416BB1622C74B76F4C08AA1A7458,SHA256=1D514BC5BE03DEB5A2C54018E90F6B0FC796BD61C39584697CDDE7A8AD936CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:43.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EBD73319FEB0AB19C91C592A2218BC,SHA256=193C8382ECE03185C997370668910D2F9C574DF7D9DB3EE3A88E6E653A41A9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:44.623{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9E4A342AC51FF52B9DA1EEFA187E90,SHA256=D19667ABA00BF3567D152B180BE5CDD476AEC4D90A9F7B66F9BB5CD199EBC1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:44.525{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa277e94.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:44.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16849C3A8CAE0663F4642112BD1DF1CA,SHA256=7DF78E8B9AF3FFD40201D242DFDC9D7B7D5237C552B957BCAB94DE163C3472FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:45.639{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123C7C4E56AE36FDD531C419D109C81E,SHA256=EEAF3CF6A4CBB5F0215AFC4C0911A765F7DC125AD77AF1ED220C90D7BD5F79D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:45.217{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C3617A6730234BCB4BE444A4170D0,SHA256=EB1C55C5B1F155B8C56F3322E6BB0C99E56F075889C2B89998C3EBE6EEAB754B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:44.764{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51648-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:46.654{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA21C19292304375665FF18CF19BDAC8,SHA256=E64CA2D7D9FCE2C2ACBE38B07F70B3D6749A815F6B865B70ABFEB0A1C085254D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.961{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.957{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.957{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.450{7B03F3B2-6A3E-609D-5D53-00000000BA01}78607964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.284{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.282{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.282{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.281{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.281{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.281{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.280{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.280{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.244{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01FFDF6E76CB48C2B9E1BECEE735830,SHA256=058216814A0014F5F1B155EF196FB284234D1EB8FF3DDFD19228F1EEC9C2554B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:46.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=342D61056B229779911736D574F78A86,SHA256=82B9073E3277FBC4F602AE9268284D12A0A553CC7A73402C4D226E6B62082672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:46.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7DA095F8B6AEB9834D1455F1EAB2C4,SHA256=124DEA611EDCE8FB511EAA19E40A659C01D7B5F9C259C913714A40BAD7725E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:47.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0260CDA91A085644F63DF25877ABD17B,SHA256=A80AD47EFB18F4C30B805A170FAFC0D9D284A6BCA5B7FF5AB290AF0E8BE60230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.572{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.568{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A1A17B314D5C42906D2F16FC386D80F,SHA256=B3D5161098FAC5A47323393A71200E6771DDC1DFC1918C00E02A8550B59C8680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D783CCF85DE91E87837FB8627852AC42,SHA256=5AEC328326D5C353BFF9233CE57B13D25BB2BFEF880D80B242D2CA680B2FCB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:48.685{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DC86C36D97E82359A74FE3D0E21E09,SHA256=09511367289305B98C18B7A769A6ACB6C1C4EBAC65651635AF991CD005CFD2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.399{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65206-false10.0.1.12-8000- 10341000x8000000000000000653004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.611{7B03F3B2-6A40-609D-6053-00000000BA01}38684848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.578{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=211C37589FF3018CE245999AF0DD99FC,SHA256=4861B81C0786A30D8C800BE9F9B912891B74BB913AAAE95AEF0E1C9722D19D4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.469{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.466{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.466{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.317{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F715D13D5C2972EFD52DAC38A581EFA9,SHA256=A97D2A3B0C9CCD242E36D671004EB5A81C75289E196D4901669153E8007DEBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:49.732{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94CA813BEEAC20FACF2C3A53ADA8B02,SHA256=B3A94C60692CD5704E382E3C9854B40E4F4A63A33CF504138641E2C7A468AF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.619{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32714FF1242876968E688E5DBE6D6F9A,SHA256=BDB774DC356645B9E5437548A2C291952DB037B1BF5142FA695985060D5E8F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.331{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537549A902E4D5CB8396C5879228C4B7,SHA256=83BC16ED7ABDA2BEB9D5A0F9D4EF112174BD520E8931DF3D7CFF4EE9F3C4802B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.318{7B03F3B2-6A41-609D-6153-00000000BA01}28363644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.155{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.150{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.150{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.150{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:50.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ADBE3F68672CE59C1D8714BDC82A6F,SHA256=E59CE300DF5110DA64676DFE0F0623028BF14730300706B760C5514CF2514555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:50.334{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD66117D1338ED8BEE0697B2C748B888,SHA256=7429FD83B3B2E94E089543743D5ABC9C5EFB2CD16E6DD2B70D7D6F7A073F608C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:49.843{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51649-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:51.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F9A414E13AAB396F237341C33860F8,SHA256=5B2F6A82DD7886B46DC30E459912FBE61D7436ADC5CBE5A0961A51D793731AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.432{7B03F3B2-6A43-609D-6253-00000000BA01}32207668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.378{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A529DED9EDC4D68AB7F00BC4988CF50,SHA256=B21A0D3DAF872C76CCE4060ADDF76BFD58313CCF5AC6896A6A19D84D0B49EEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:51.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A081CB534BB95F9F584DCA2BBA3B3E1A,SHA256=41171F95969B0F06531ECEF7EEA14FEC6C3117662BC32B2A0399A3FB0D27D80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:51.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=342D61056B229779911736D574F78A86,SHA256=82B9073E3277FBC4F602AE9268284D12A0A553CC7A73402C4D226E6B62082672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.266{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.263{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.263{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.263{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:52.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F299E01207FF46F7140312DE209D9D3,SHA256=05D0EE743629DB562624F3FAC2CCD0535165952E7075A2E7CF92CB424BAC1580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.930{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0228A25BCE31CBE3CFD25EFD5C8F1399,SHA256=96288288E3DD9EA5EF26BD4F0A1D38BD673E12C835CBC3580CB9CF34AD4D8009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.432{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72AE985874272FE00E423E939DFF300,SHA256=BF28A967272766977CBF4F3031723684B7B257D81CAE75E5A6A56973638B54CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.281{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196234E1E58AEDA8B736A32CFF8349F0,SHA256=C00E3B5DD7C5D7F6B4F3FE92490678F958F59478C6D3D3FB66DDD4179545B18B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.049{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.047{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.047{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.045{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:53.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A9B5F296AE2FA4E845CF1A78E418DA,SHA256=2D026F7C8A48100BFF6FBFFED20D47EA10F1C00980D1525E632C5997F6DD804B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:53.446{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06666C93662A361C807530B5DFB76F91,SHA256=04566A96C821F68C18A6F2FB9EB540959784701F6FD049531D9224517B2C881E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:54.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01747C4D5EF2A600EEB7EC28E642EFEC,SHA256=BA0C1E1C7AB1C8EDA6C4BBEC7B8A7022A3182154940AD0FFE96633950D3403EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:54.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FEC2D4E9C1FD588BC594B1C3501AC0,SHA256=A0A6AB0259ECB39F9DCFBDBA24A81CB637641E59704B2C850D06038C95CB4522,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.413{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65207-false10.0.1.12-8000- 23542300x8000000000000000554686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:55.810{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE7475CF299624C77E42F922868137,SHA256=12C40B91A30D315D5F61903F878C53225F8074D8B54DBE0C4803ED8645F0D124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:55.477{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D864E99AE24FDBCED8FE87D52CB6320B,SHA256=E768D18380EFCD559C38257EA9BAD527161F2BCE934DD123FFA1FD6C17E7AC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:56.826{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCBDC6E5BAA60EE806D94AC870425E2,SHA256=F64E88BEA26D4BBD239FD2B94E4C385AE6951BF496B95A9025FE85C0619C662E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:56.488{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1657F460A903862600A584D5558C70,SHA256=FFFBF6B6AD2C753682FC4087A2B17344F87C852D8F2B11D6C38004EAA1EC678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:57.857{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CC5C7898D26669E618BFFAD7123642,SHA256=14C0AC27BA4AD2BB4CF6C26B977D7A72D5AE87B811E8362289D56B5BC6ABBF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:57.511{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DD7579C01FFF81FD304F3231D5B1C2,SHA256=EE1E3510DC5A4349E44353E40EA355E24B434F6B83FB4004230CF91D33EFF4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:57.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D740BCD135446850F540302CF29FB5,SHA256=79715EEEBE8298A066C7337C369256EB1F0C0E269F73EE38D894756A8F043DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:57.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A081CB534BB95F9F584DCA2BBA3B3E1A,SHA256=41171F95969B0F06531ECEF7EEA14FEC6C3117662BC32B2A0399A3FB0D27D80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:58.873{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352C3E03C282F108B8853CE578ADE2E3,SHA256=9776B88388AC8AABE9C4B34CE4CA6A90D5A6E98051D24BEDDF8A7FD5CBAC0211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:58.522{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0C7639812B8268BF609316E26E9D7E,SHA256=0C576C921FFF231A4441BE8D92A68B8E4E4A6FE9B0DA9F32E73545CA1B66AF8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:55.733{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51650-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:58.214{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61370F5EAC4855A77B3CA9BF4F132063,SHA256=C5D9233A755AA3E4CF3DA2D91D617FAEAC12CAAF1025805C09231266093C1B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:58.212{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAB9B14C57FC073EEA04CE3559CF661C,SHA256=4EAB4F5EC5AB7FD10AEFD076174E2BA5C65AAA2D4F06AC84F01B62C3BD9AC1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:59.890{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9594D3FA05F1AEBEBFF3F80B2E838D78,SHA256=2603005779428B6A7BAAD6461386125181931789ED452F3DB3A6CB613E9961C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:59.526{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C97A462C10CFF60899DE0018B2AA5BA,SHA256=B1E973CF3F94DD59F1174AB6135DE13BB2470940E467BA3827409EC3DDFE961B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:57.441{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65208-false10.0.1.12-8000- 23542300x8000000000000000554694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:00.950{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38694A591D2845E10AB44C047043DD6D,SHA256=EC152E3DA014FEEFD0473BEF35CE0750452655FBB98DB6047886B0CD52F8F3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:00.542{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E13B4257E0B4E6F8DB33B7BFAD4D98,SHA256=706D094D5B89CAA4CCDCB81AE168671B0F238B42224DC8F315133C24A96DD964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:01.982{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533D7157BAC15E81F678A0EDC44ACAE9,SHA256=9D6A324C041A68C442A59D9B527A001F45F60A95E88D1026DF8760F2DF359B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:01.551{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27551B49D975F26CAD799F61FE6EC0E1,SHA256=DCD5A13E3665EDFE146274EC4AA5C4D9051BB08057F23C70694742EFA1D525D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:02.983{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7246F73EB396772C6B5EF189FC1E733,SHA256=91E3C6F509C7238C4CC1DBF3B579F7B0E65377B2277C8D02F1F1228B692EA426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:02.569{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572D7670A0899CC26ADD31061CF68C39,SHA256=CD89DDAFE7D92A05BB5F4EA3CD31EF3E39ABCB679C68A43C2DAB87C1BE6D50B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.966{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D29B795FE92E303F093B24332D7A099A,SHA256=3056BF28BF2643B56F8B455DCAA4EAEB7CA2F4E45CAE852F4658F3D74EDBB7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.963{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61370F5EAC4855A77B3CA9BF4F132063,SHA256=C5D9233A755AA3E4CF3DA2D91D617FAEAC12CAAF1025805C09231266093C1B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.805{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3CC740F38317AD1774A10C88ABC116,SHA256=E4F610FB19794AF43F63E4257F21A06CC146044BC434BDB0F3CD6D069D65C8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:03.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16C06A291D0FD2B823EEA7CF2585B14F,SHA256=7D69A660FA93E4D9EA1DF4350DE151F9C6FE742469FB5313F422F941C1B72095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:03.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D740BCD135446850F540302CF29FB5,SHA256=79715EEEBE8298A066C7337C369256EB1F0C0E269F73EE38D894756A8F043DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:04.825{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DA4C545D985D7EF5C87EF1620DF01B,SHA256=334C695E2FC7190BC03BC4534D730A25A7CC23505EB106C411FCF59EC10526E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:01.765{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51651-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:04.014{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D63DAD7F67BE130C17DC108FF212A5,SHA256=27A8A126B2655AAC48531AB8003D811186E18FEB5EF8DB5B140E1EAA00E7515B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:05.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C099B916BE715A0F972F97EC70A2F32D,SHA256=D103E7870F52B1894A3787AC2F77B05B05C0B4E8CFFD3CB517289A6F9FFFCF33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.439{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65209-false10.0.1.12-8000- 23542300x8000000000000000554701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:05.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0871D9042D4794B7048C58157655BC27,SHA256=AD94025D499A34AC0064569EDE31EF1209D128DD6AEC6FC6900F7EB881602179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:06.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F94A86BFDCA09F14F9033A3E453733C,SHA256=EE8523DEBED7B06C66D44F8E1B87C42A05E0B98C34183229239C0D1B4071834B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:06.092{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CED4E6886BD575988E722B3C9D706A,SHA256=0CDF12BADB56B22D19484410B9726B2070C27E2B1BF56BB79A69429EEA920F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:07.848{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9344223361AD03ED273273C5D71887A,SHA256=03F31AE909A92D57B40AE051AB3044AAD9C846ED1093B3A3A5EBBFA691F3F836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:07.108{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765526A7EC14995FE717DC431912218C,SHA256=E26E5FF618D065FF3D6D2080EF773C6E175D376FD03C185C9439A6C69479A6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:08.863{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDDE6B4A950F2BAD4DCC9989E17403A,SHA256=8AFC053DF54BE6B8A9C51F0BAFDAABFD651E7F070F52C72A3F25117EB036D764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.780{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=20B9B5ED8561099115995F3EF267559B,SHA256=753CC3AB5EFE96018D20AD515D89CF649712F3DB47819B2811B65B238705AC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959453097D2F40F436C896AAD45ABE70,SHA256=7B1C2AD0F8225CE87658975CC97C48D02CEDC3E54DC1F449AEFD8C3650445520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16C06A291D0FD2B823EEA7CF2585B14F,SHA256=7D69A660FA93E4D9EA1DF4350DE151F9C6FE742469FB5313F422F941C1B72095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.123{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B440B925863F34C3FE530AAA8E78D1B7,SHA256=12A6E9ECE0EAB43F100FEF42C0507FE92ED8A59FE757D6DB288C35050A18E5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:09.906{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59624562665D434B435C17D211EF9BD9,SHA256=5C7AF6911082BDE9C530A1740A9AF08F56D4D61B8B0AA1B158B3AF4BE9E1FC05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:06.844{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51652-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:09.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A41865FB10CAF8C87D2D9BCDA6E3ED,SHA256=6AE4768C047769EEB4C0399AC6F69225E8C2C21B88FBF37CD5E49993366A1DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:10.912{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FAFAE9439E70358F1576D23A8C0C08,SHA256=F77F9450420045F51399B5362D977A7B4D4EF5F6BE29328BD731189793AC14CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:10.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC0D03A25D26A2C8834F25AFF3C5B9D,SHA256=E3EF99D1C467899B9E00AF16CFAD8E81001C2B8F4BCBA7C717826F955F684F4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:09.371{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65210-false10.0.1.12-8000- 23542300x8000000000000000653064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:10.161{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8DAD3C25732CEF87BF3A4435401872A,SHA256=36DA56136C46B7627CA350271D2E7258B1461833EAE264137861C028CC4448CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:10.152{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D29B795FE92E303F093B24332D7A099A,SHA256=3056BF28BF2643B56F8B455DCAA4EAEB7CA2F4E45CAE852F4658F3D74EDBB7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:11.922{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0EF00C8781DEBFAF2464801F3D09EE,SHA256=7270043756793CD2695F04CC0428A9623D41EE31356B1BA0279FEC7708A3F467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:11.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3663799C404048CEBB803302DF5786F1,SHA256=CED37F39499AFC86F7E03D307B0EE9B7CC6361537695D3E0AD5687042AA7ED3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:12.933{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962D31196B5B5AE0B335FFFE941F39A0,SHA256=47A36A6E8C0ADCB6FDE3A177CCF24C0F639303C75F202045E0FE9E703397C387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:12.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13378A6FD0FC5144FC014ECA4D94A6E4,SHA256=27EF2C6C551CE2C728B0AF2B59844D3BDCCDD4ACCD6E4D59CB3CD4CF434E0B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:13.942{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94B7C0F3CC841223E4C8DE4E12CD00A,SHA256=E6109D6FBD7AFC1FC5F27F011BDE17BEABD5FB3E9B524A643DFCE3EE2729E636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:13.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA5B498BEE4ADA81528E1A904323B23,SHA256=42C7ECDBCA77D196E7DC473E4FE6BF4E410D5F75A96CFFA23766581862733893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:14.970{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35552D6C348F04C51CCFCC3D5C255D1,SHA256=F78DD5674B2FD75CB6C5B5BCEAA8C3643DC7D6BDABD7C8735666E26205F859F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:14.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCCB37AE9981FE6EBEF32FBD8D9942CB,SHA256=7CF0C962E38FD66CC709518CB1958576997D8A20A5262DEC774D9AAB0C655D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:14.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959453097D2F40F436C896AAD45ABE70,SHA256=7B1C2AD0F8225CE87658975CC97C48D02CEDC3E54DC1F449AEFD8C3650445520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:14.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBD53049BAD7B5596F38ABE0DB9CB0,SHA256=6BB96DBC567A59DB30390C299835F30FEEA181048A8C4160328B3121DA06AA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:15.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBAB4F3721B09D8EC49D5339E0DFC7B,SHA256=0E2468646280DC1A0C308667DCB3C06D5C72E2CA532DD31132D025A83D91C3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:15.567{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BABFC451ED31A92A20263FA8EAC435,SHA256=64DE14C6A22D7543C27D3EE7702A15871019907C7CFFFAF03955497405963622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:15.565{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8DAD3C25732CEF87BF3A4435401872A,SHA256=36DA56136C46B7627CA350271D2E7258B1461833EAE264137861C028CC4448CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:12.845{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51653-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:16.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C94030E13FA18AE71E12378C41F9EC,SHA256=D65F7AC47A7A16C641C752CD1279AD450532F3C98F32213A1A607B82BDE786B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:15.281{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65212-false10.0.1.12-8000- 354300x8000000000000000653075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:14.947{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65211-false31.25.187.150forum.rclone.org443https 354300x8000000000000000653074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:14.784{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51750- 23542300x8000000000000000653073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:16.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF36758C427EF34FFE52F33A7D4A03CC,SHA256=009651AFFBAC6092AD0C0FD55E5C6EB8F5B24311EDCEC7253430BAC8A5049E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:17.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714AA3AB41B737A78D0D44F07F17EAC7,SHA256=18BB4A0B7313A2E3142E6360D03DDDE5CB7C696479F4F213B70055786B14F6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:17.080{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC24AA08D20D90BDADAFBD7D255F9AB1,SHA256=EBDD7EAD5FC572FC43FEFC6F046048C4375A8E78C44B459B4B5A19E704FCAA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:18.342{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17A7923DDB013843E4ED8DDE1823378,SHA256=A3E1453EFEEA013443D88403A00715877CA1F8F6B0248494FD94F5CC5DEDC618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:18.973{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BABFC451ED31A92A20263FA8EAC435,SHA256=64DE14C6A22D7543C27D3EE7702A15871019907C7CFFFAF03955497405963622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:18.145{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F10BFF6698191C8D92AB69EC1F060A,SHA256=F39F6818DEB5AAA82FB6EE239876FED82B28943891F39351D51A237782F0D49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:19.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5513DA33B4285D69C5672ACE51A108AD,SHA256=F0EA0FBDAF40008194318FE05A70BA251165B3223C75941728E447E571C29C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:19.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A787B94EBE4E205C4E8510032F16CF39,SHA256=61572C59C5660B8904F1BFC2948E8FF34047FB690A5CEB4D1977C511AF83BB2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:18.750{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51654-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:20.373{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979486BB0701476A7A2D163107836F82,SHA256=D223D0C7ABDEE318B880CA897E6B461BEEBA368ECC789D822D9B9E549A48CB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:20.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682ECB6F39CE568EB31285BC00BB2C08,SHA256=F72820D8F257662A5117E7FE9B889FF55587ED17ABE8DE03A27D8A1DF4F13E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:20.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08935302234F669B34067B7E73272F21,SHA256=B5E5D76EC9DE3BEF840A83839792CC44E33AF385DF7357FCB0C9685A1118DA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:20.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCCB37AE9981FE6EBEF32FBD8D9942CB,SHA256=7CF0C962E38FD66CC709518CB1958576997D8A20A5262DEC774D9AAB0C655D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:21.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D430368C3003FBAEB758460B790ECE82,SHA256=380CAAB2FCFF05D9B48C624D3A24578B17A3E48FF5CE0DE9A5483364BED4EE0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:20.432{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65213-false10.0.1.12-8000- 23542300x8000000000000000653083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:21.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA5099108F590299213A57397381007,SHA256=E1812C778870FB8D0006128314746C2D30DB14C11FB2220ACADB6AB5A56B72F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:21.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12D2DF060D3DB8FE8EF03A474582D591,SHA256=466819D1907F1E006EF917A20C11E41A3B8616099BC08CE5667B3C9CE5053E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:22.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB070E3DB55C345794D286B7589376AE,SHA256=F476B56E9660BF4CA289DDE89617E0175E9D5272E7A6B6F7111D70CBE1EE1B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:22.233{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677D1B4DE84E47AA9E01DA8BFC40D64B,SHA256=B60C53AE22023B70846D1D49EF83083A2FC505E9A20B2942D018BE338F541080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:23.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743DCC959F9FF2FCAA1350B03868C8FF,SHA256=36ECBE46AE73D2CB4A7F6D5DCEBAB0109852E25E1B7420F35652CB033CCF23F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.971{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B6575C11F99B060E9E9B9A4A7A3D52A,SHA256=446A154BF9423A8024A3910DC4758BDF4E36515A57FC89009FD863DAFCB7BB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.247{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD944F90D0D72757B50AD92A325F4AAC,SHA256=CE1A8E00A95F124EF37012D567E1FF20F904BCA39F8B4987600309D7EC63735E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.025{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:24.486{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABD8C749D9142EAFB02A4216E51A2EA,SHA256=598327EE7D88268B7382EB9E5A138EF87F4C8CDF2D3B9D34AE24E4AC034F37E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.603{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65215-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.603{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65215-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.246{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65214-false10.0.1.12-8089- 23542300x8000000000000000653089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:24.258{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD83A9922463E0F60E715643449B51AD,SHA256=D55C482671CA404EE3A43E7E7B8633F37AE3D6DBA679AB945988BEB66CFA824E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:23.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51655-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:25.502{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFFAA4E18BBDBBC43A166F0CDC1D7DB,SHA256=025783D715171182FF3F2E5EDD56244B97087F387755250988E7AB802FF0CF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:25.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA7B902AAC216242AF3E4D510B1D119,SHA256=C7CF24931D438AA64C8BD99AF187C39AE7BCA74AEA2DAB96259E1C8FE04E6C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:25.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BE071FEE1603ED7FA4C709F2532D40,SHA256=0B0B21B8E96D0B7D2F060699228536D1634A27038D7C4106A4557CB739604F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:25.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08935302234F669B34067B7E73272F21,SHA256=B5E5D76EC9DE3BEF840A83839792CC44E33AF385DF7357FCB0C9685A1118DA95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.815{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.518{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD8C7AEBA39E2DD71FFAA99591AC0F9,SHA256=785EA0EDDA6DD397FC2BF2D28AC85962927F7A2CC2ADF860DD5AAE18BCA415DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:25.458{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65216-false10.0.1.12-8000- 23542300x8000000000000000653095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:26.298{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCE08B8F2166CC118B928001A44CA04,SHA256=053DD8F846464AA4EC89CAC6172D38102B7A670E8B4016E1CA9E7E6D31B80CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:26.226{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D59B7282A0ED4A52793A358266D5EF68,SHA256=8D4AE77BBBA887B261590032655898BD15EB3E8B96600A7332C3781C7CBEE87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.971{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B43DBDD816CA33E5101FCA12F8FEBA4,SHA256=6D090B918071B6E981529C53E594CFC1F58C1F44D3D4AE5D103A1850B37986B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.971{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BE071FEE1603ED7FA4C709F2532D40,SHA256=0B0B21B8E96D0B7D2F060699228536D1634A27038D7C4106A4557CB739604F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.674{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.611{E1BD9FC2-6A67-609D-754E-00000000BB01}25202864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:27.313{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA185FA8341F633CDA92938053A6DAC,SHA256=A6F209FF32D535852568C68657204F6F6350FDEE58C2B14C64F6AC7B12B88211,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.487{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.627{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B299502DDF1D73556FE95365E9B265FF,SHA256=A6E26C08D6EE59392738DBAA95A9F6696DF70372A2075D9CCDAA5635A83FE394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:28.321{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9C7FCBB5A274A4E5E086FF0812C72A,SHA256=7224A1B1627867DB27F5DE3AD71E6720942C4BE0FAA02022C7805A715ACB4560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.159{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.300{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51656-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000554781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:29.642{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD519723492E4F7D5088D2492EE9B13C,SHA256=E4D15679C19C25DD2DCF9E8183D620CC390E59D81D307F019A481BD752968081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.834{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7A61B2827816C260F0A3D27A992B0F56,SHA256=F30D4AE5E9B42FC572C09D5D8CA6E7B929174EBD6A5841CBF9B7BEEF5294A918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.833{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AB030C9413B2BD158C9758C029F0B693,SHA256=DA4D7B93DD6DA942E20116D6B30CEEA754E31E9DCEC3DEF06BC1E4877FB146DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.831{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C247DD0C01B3AAB186C6ECC2E357FC0A,SHA256=382F3545BB271453B42C7E3333BA28648EF0CFE21A52A2009287CF08DB430155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.830{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=85C3FB2DDE5C6FF05CD2726C9E2C61F9,SHA256=D7B3752134AC77CBB5BA77748C760B27C5B30CFFA406E9314866C508933D1CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.829{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E6C99A8A2B2F4237B147A824616E5A1D,SHA256=7A451FF15D556F439ABFCD895419E9DE155C79A177D25FD5535FDC8AEBFF276E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.828{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A099ECCE92CEC3CD718D2120EAE0FFD2,SHA256=0AA40605038B6EE02E8D43982D12869349B91DC728A6BDDB604826934B35428E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.827{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4495591A0265CF88336D115C4766F64F,SHA256=6B8B65C1810C0F54FB00EDE011110A70C55D24589132078DFFE12C662D4C4AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.825{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=692FAA48615A03099DACB01967549010,SHA256=B2C7FDDCC96BDB820292492E959B6A9CA40F75A0449D3A2B1BDB158AFDB4B901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.329{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6D6D7934D2DAC20642D326249D2D5E,SHA256=4029FC0D5CEE7816601DBEF90AA649A24C637D2C8F1B46D11057B92CCFA7C056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:29.189{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=336474DC471CBDCE1C7DCE532CE16868,SHA256=AAECFA107C02239FE32528530E6574597F93CF38BF64A9ACC772C45134BDE73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:30.658{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519E8C25B520CBBB3B87F655D208DC16,SHA256=A45874C52DB0DD5F0094026CF01364A001EBE9CC72A2DF39373CA7B9B81478E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.837{7B03F3B2-D0CA-609A-1600-00000000BA01}13046840C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.837{7B03F3B2-D0CA-609A-1600-00000000BA01}13046840C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.834{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000653108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.339{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269C67AD307F115CE9756859FE3CABF8,SHA256=79E4280314C3E205F7984223DFF36281BEB7FAA59C92CC53141CF55FC8642799,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:29.816{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51657-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:31.689{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEF39023849A276C4BCD2C9DA615BD3,SHA256=754C5F707A6890BA00CFDF7E203B33B9A07D5202E416075700869B99D506E29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.845{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098D0EF84A24EF1395E24400F542C2B1,SHA256=92AE06EE46EB603450D66E671B9DB6B587ACA3170B001C5E93215ECCFF2C1B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5F169D4E7F319BC42143416D418F4D,SHA256=39340EE224EC4B4874FF73302FAAD298416489348CD9B17BCDCE859B508448BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.371{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A071925BB15A115638DE56F5955031D,SHA256=34A0FC948A2986146DE09D66F4B520F0F91C1790C94E6BD7C945445374AF8041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:31.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=651E038780CCF4995265C468E34485DB,SHA256=29E61C7D97B05842EA04EE2FBADA05F9F8FF98E0E7F839A5166BCDA5377EEDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:32.705{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460D67BF88077E087461DAB81752E0C7,SHA256=30A1874FB20102D6C39B92D9A24A83A55775EF22FF6533A501CD5D7DBDC4B33B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.445{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65218-false10.0.1.12-8000- 354300x8000000000000000653117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.074{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65217-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000653116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.074{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65217-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 23542300x8000000000000000653115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:32.384{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF875202DA2B9F7138F7A2859FEC0803,SHA256=3769AA5CE86469CEEC6B8440ABFAC2A9624C876DDD2ACEC64E5F0D594BE1C111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:33.721{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F574CA49374B48E5968F7F164F461BA,SHA256=4134588CDF223FC14F0BB68FAFC437A2B75607836788A6CC29F35B3F481225DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:33.391{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C489FA80BF3BA702177F2969434FAC33,SHA256=11F5798F7CFC140E36B27442AC6A85FA38DE96A5E227F356F3C30B4246EFA81F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:34.783{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDCFC2D3F5A9436AC8655AA12C11ACF,SHA256=7A42F93556B9AE10E0725A7475D441AE8EDA03451A9A7CE2682D0DBBA8941E0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:33.663{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local60099- 23542300x8000000000000000653121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:34.431{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098D0EF84A24EF1395E24400F542C2B1,SHA256=92AE06EE46EB603450D66E671B9DB6B587ACA3170B001C5E93215ECCFF2C1B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:34.397{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4F00753CA85884F10686A1DDF2BF15,SHA256=22CF14CBFAF0C4114FCF451CA455CC58B0E8A83D299E58158497FB311C09F53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:35.861{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29C320A0908B0CC6E9C3338CAB47B81,SHA256=81A7910A63FDCEB028D2611DD20220F4EBF5EAEED8353B63A0E2C8D33013CEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:35.425{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265BFA475ECA7AF7A2550C95C322E5DA,SHA256=6B6874FAF34A201D2D19907D97828E2850CAEFC5EAE524348DD3BC375BAB49FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.924{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC2046B2D589B29C7C40C4EA661F01F,SHA256=5F19F4B0474A90104812E73366AD4D9B24310E43AB5BD1B3A9B6829F5E615CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:36.432{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C048CE001A2D8BC85F00F4A143DAF34B,SHA256=F2E0D4913270660B883623FBBD8A6B5079AC7B83E7C8CBEB291BCB5C86C454A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.814{E1BD9FC2-6A70-609D-784E-00000000BB01}37321192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.690{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9477239DE128AE56F6E6CE0204365F9,SHA256=DAAD7D8FED5638101CBA3941428C21E9AAA5B29B322372DBAF2C67DD5FEBDCD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.142{E1BD9FC2-6A70-609D-774E-00000000BB01}26281344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.018{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.955{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F3979D8E54FA7EBF073353133838BE,SHA256=AB0877FEC4E04742D073222BA0199BF9945112147B60B104D1143323B2610CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:37.448{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B499E7511A3743D9CAD0EEFA0AA7662C,SHA256=0F81137F6F5E5608E28620746A9F5FCDCDC7AF0401604052B75A33B94095DB88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:34.894{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51658-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.705{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A4759F1C64967470B0D71CADA36C0C,SHA256=E7F76099795967B87E25E831B908B455EB2DD20B6C0FCD1112FB07C9D7A9B988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.362{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.955{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517813FB46FD93C9C166A246E7346662,SHA256=034E02C205FDDFED1447F02A6EFD2E570B8F6A785421860A202886E4D064D9F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:37.447{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65219-false10.0.1.12-8000- 23542300x8000000000000000653127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:38.487{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE4D8F17BC5D6C43101E4CDB915A5AF,SHA256=1E915F65C02CB3EACD400E4F3A078FEE7F4DE776FA4021A5C9A940CC73828522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.158{E1BD9FC2-6A72-609D-7A4E-00000000BB01}20201872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.034{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:38.246{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=422BEB6E67BB9FBA2687AFF96CA19AD2,SHA256=017EEEA337193364FB2543410BB662C9A98CA787F19378B7D8AB719F44A24478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:39.501{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F055C71F4B2B7B13673627445665C6,SHA256=EB086078DA4D684D322763E42C90DC1D59CBE5ED9B4B03B2D7C7A734DBC3513C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:39.252{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E4569965F46D1B5D57D1AED8C3804D8,SHA256=C0F64320865D9E4C59E1E660D5136C66227E989A3B7A5A91ECE3233E893A38D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:40.570{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A37479A88EB49CAD2CB2371D982529,SHA256=4E3AEF3D084177643988E2B70783F16C957351D3B8A19FFF7D70050638CEE091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:40.017{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A429640B950BAF65114FD019E4966E,SHA256=62C703D19EDD9EE8A163DC9D86ED8704838ACC86AAA062446B66DC3FD2B7B967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:41.589{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD49CC6E659C27E35666D3C5E124162,SHA256=D9480A9E6F918E28C4CBDEB88C139E196E4949F225987E769729FAA84E573662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:41.033{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE5367EA35CBC5C06FA18F693E41A80,SHA256=93E297FDA36C0E307AE10C0FB06AA1699968F259210C90F3E9D87598E1E51954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:42.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28616ED44A0CB6BF38BF20673F707541,SHA256=1DF3D024C3D49661FF23EB55CD06586D0BD588D8398207E3792CA35CDE7CF371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:42.299{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A734282AFB0F71E8900DDE2DCAE7B09,SHA256=D0FFD360F629EA3A9B1778EB94156F867C6CD59551F7B941FED08DF9EDFA9B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:42.095{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8BBFC5F7342179E57D496440CE870D,SHA256=AE65F1E1A3C06DADD070AF7D1C0F6256715C5C8E3BA5893BFBA13AED15605F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:42.576{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD08792CFE48EF57E5A6C550A7A7D1E,SHA256=AAF39AF37DBE0E37ACE21EF1BB5887DB1D11F8B86E58BFFE217361CA0A8DF958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:43.986{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=555B9A6B7947113EE327D179EC416CBF,SHA256=52CBF4A5F4AA027BD1FDF888AE5A68608A3815C8A70417F247F17E3346DF4FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:43.613{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA43AF2343A136ABB07D31EB84BE35B5,SHA256=383577F54DE69F9A8E1182F26CBDFFDFE78006B44523BB2B3DB567F6182DE4C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:40.863{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51659-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:43.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0371C7C6B970A26ABFC714807A6A69D3,SHA256=BC0631D70EBC720FD628E7AA5564F1DBE3E1AC2F37983DCE2C100B51BF113733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:44.622{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0142E9F7404273649EBDA1D8ED8037,SHA256=D144319625155E15DE167439F6CA624D1B44C10F3201C0A6E7EE2A2DDCB23D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:44.126{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397A0093E3C497B5C3A095B5004C1671,SHA256=91050FD6D00B307AB1677F61F5AE3156876984408FB254C8BD34995F54653F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:45.631{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFA7DB3C68CF2B72C2E61ADCC5FEB64,SHA256=CF22B9B2237218DC47DDF822C72E3FE19EF31FFECF91E8503E639E1A255BDFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:45.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BF75E0A5886F881694E8ECA7119F75,SHA256=E41607F8F13DA5E98732DE82E3E268803A86BFFEB9824C13AD973A0E5DB44E80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.886{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.883{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.883{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.647{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A785A8D8A9E66A544E870266AE25B0B3,SHA256=2DE9C3625067AEF2B9721F1C29E78AF6C816631CF1D5D5B5411554E5A8FCE1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:46.158{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BB2B1F856B6C6531960D3F7C4A71DC,SHA256=EA98BAAC7384EFCDFAC6DBAF221D9F84ED6E7725E7DF3B1F8BE7122EFD9485AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.304{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.299{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000653138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:43.481{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65220-false10.0.1.12-8000- 10341000x8000000000000000653166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.701{7B03F3B2-6A7B-609D-6653-00000000BA01}8442820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.667{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98D8623A4E263AFDB9AEAEC814A0777,SHA256=2D8370149A6352F0F3973D159D61EFB1BB3240AC5153213F011336B699C865D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:47.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF16D67F2933D9CB33EA01F07CDBD48,SHA256=DFD2B55288351A5669065928FAC3E7E57F6850664B2C7E552BC69AEE298CE697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:47.158{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA66E259D9DA352558608BE9D1F0FE64,SHA256=31F84E9F8A9FBC5FA56CFCAECD57398DBB69685C1429EADEAEE2A7A1878443B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.509{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.506{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.505{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.505{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.505{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.504{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.504{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.504{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.305{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCAE98AACEEA4CE8D02679838628600,SHA256=6B10252F4E07AB347F66CA1B387A1EB1F033E548DDA4F7E0C89D395A7CFFB72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.679{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB903E02F66DD4E70F9E0FDF99B28705,SHA256=BE942F7CB9E4EFC409383534C8234EEDF469AD2F7B3C5935458C05270A38D629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:48.220{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF80BBCB6F0F4CEC767A53171F8DA59,SHA256=036C091ED59772DA6024720030609FF40CCAB2C6755D1F6BC5F70B32EA5C4AA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.641{7B03F3B2-6A7C-609D-6753-00000000BA01}73527336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.514{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E7F39DAF34544DBB782A1934DBCF95E,SHA256=2C4CA9902E5A4E62E28D3BD9F0359479303D9D4366B3FD340E3C891E1996D468,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.484{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.481{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.481{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.481{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:45.881{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51660-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.703{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9360072EC0AAF540850DB8F9C5AF01,SHA256=EC30FDABE09E7A2BFE41D263CCFEF5F27EB0C00A9F9A319F004F6822400EF094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:49.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DC6D2432AF7AEFAB8FB7B396837CBA,SHA256=78FAEA66C9082694D296455F8A856B120003A3268B2E383DEA7FD1137003AE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.662{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E108367B32C8B1ACC56AA1FEAB05FBF,SHA256=7ED0B98FBBCBA25419840289F763BAB5343108EB7B45670DB05FCBFE495F63E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.314{7B03F3B2-6A7D-609D-6853-00000000BA01}40608128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.166{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.163{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.163{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.163{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:50.709{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14427C47542F7C1E8A9D779B2BE61C7,SHA256=245694DFD0F7138BE1D3FDA99BB32CE8D00BA76F4544FC84B886CBF28086F922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:50.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F37E54E6ED382E50F446990E44A23F,SHA256=A7A28B680B71375A4D007CC7351A8764119CDAA27C42123E626D89D03F71005F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.311{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65221-false10.0.1.12-8000- 23542300x8000000000000000653199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.722{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BEB179F977044ADD6523B809B2B060,SHA256=0CB447E0E283CF10E605C8B3A782B7E04EA639A51E104A39AAB168102F3B1810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:51.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1AA28DDEF03FF8B05B6A9295E6307E,SHA256=DB964020A69089BFF65B86A44EAF74015B40BCA97A94EB3A25864F4A525D7C34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.472{7B03F3B2-6A7F-609D-6953-00000000BA01}11406588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.287{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.285{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.285{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.283{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.944{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FD38BD6FC2F5483C1A11D5941704C905,SHA256=5B3A5D4C64A210D3E99DE2D8AE417729EFD89CA569AB408CD3E6171780E8B2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.767{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EC4990887DB42E53F2474EF4985B76,SHA256=7AEC8B5733FC27960B31A122D49E8470FA4C11365E7D0F83CF4F04A9CAC4AD47,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000554878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a20ed7d) 13241300x8000000000000000554877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0x3a95dfc2) 13241300x8000000000000000554876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74822-0x9c5a47c2) 13241300x8000000000000000554875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0xfe1eafc2) 13241300x8000000000000000554874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000554873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a20ed7d) 13241300x8000000000000000554872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0x3a95dfc2) 13241300x8000000000000000554871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74822-0x9c5a47c2) 13241300x8000000000000000554870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0xfe1eafc2) 23542300x8000000000000000554869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:52.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C0D2B5F90C8114CD011179AA0E43CF,SHA256=8FF79FEBB76181CF6C67A989A50A2AB03B463B8626F3BCA26A95BA84A77824F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.296{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1093855B76803C7A9D2229886189A185,SHA256=932FA54FD08D51E786FA87E3214DF5957BF40BD5442D81093E985CB36D34BBEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.044{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.043{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.041{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:53.783{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C9369488B34B217905078CBC7CA6D6,SHA256=F1F264C3BB851A5627FB8E2FDB63AFCE06AD32A0B8DDA29CD0A485874F11CF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:53.314{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3186EB090F5422642B44F1131D624C,SHA256=2497D7DC103BDF29401B0854E0F199D1F5077BD08C1073B7CE70A93829908416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:53.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94453D123BB3C543E3C99A4AA54B79C8,SHA256=05603A413237A2BA4E35056FBD46953C0DA8F8AC0393C412E306F28938F793CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:53.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DD0F307DA53ACCC82612DCCDB012D10,SHA256=BB68027D1FC771E9576BB1E9DBE7AC87C250F0765307A3FB8BAAAB210A640CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:54.790{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2495A6E6DD92AEB55505EA09CD6898,SHA256=740A8BEB601928AA3CC85BF85D41C033628D0A28BEF76AA47B7916D1AAEE7806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.408{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.408{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.408{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.345{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07122BF0A7E73ECD4A6EB4DBE1EDC501,SHA256=CF48DD72C6871478B975E897673A5D0F982F6D3316A80056DA897F4AA06F079D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:51.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51661-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:55.815{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D70F957AD4BDC8A6FF3F14FFEA98875,SHA256=F5BBE90186C56C52DF8A8039DD28EECC3165457EB23B452BB13F7F0D436BBE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:55.361{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC34BC7FC370E8D9FD8DCC6DC3DBD1CB,SHA256=42AA290F34530C055E94F54494429DA65487E4E0D0661A69CC0545B3FBC25384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:55.116{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59688D0067592E6093814DEE01A35518,SHA256=06E73EBC616430DD441307A5DDB4808F6062CF67592209034B2F8707584124BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:56.392{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF039E456DD64A8CA6055CB133C6ED7,SHA256=56689572895C9493EAB916E16691E4B0DC2D698C87C8EEBDA91843F645CBB36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:56.836{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65DE4173A64DC12E79F4966D9AA7325,SHA256=E398FD098308D2CDDC01069610FB6966ED545565DA8BB159EAD602704FD4F815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:57.845{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C014DAE341934B4C1037B7EF1A699793,SHA256=4EF1C6C69300B3B3DF14C31A23787C789B79D8A4834279F2E8E0D517531FBBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:57.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702F308721E6CB056E20AE9C267C19B5,SHA256=C2086D289A00ED9731DB15A3DF35577BB6AC2AE019BCD4DC9BADDF89273DFA38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:54.350{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65222-false10.0.1.12-8000- 23542300x8000000000000000653219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:58.873{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C01E2921D4EC5F662954091CA07BDF1,SHA256=CE54BEB8E3B766837A1A7B99D2B032FE5BCD5270492635DE920D63B5861CD49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:58.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DBA22133FBCCDB71E675A647B37C5D,SHA256=E56E4D09520F35AC44F955803739BE019274380EC9A6755908D6230BF3398646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:59.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9BE4D8AB49C4E3DA411C677B948A96,SHA256=E558D562285195B81DC8AA93EE7DFE47BE4D498E99342A60C8DF0375C7193BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:59.455{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADFDA1B1E9FCD84B4773523CB4BC603,SHA256=B1FC01F8383CCA2963A3EB3E3A59DF3826A3216D314D90F65C4FEB24B71D5B9D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000653230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000653229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a28a283) 13241300x8000000000000000653228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0x3e9143dd) 13241300x8000000000000000653227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74822-0xa055abdd) 13241300x8000000000000000653226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482b-0x021a13dd) 13241300x8000000000000000653225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000653224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a28a283) 13241300x8000000000000000653223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0x3e9143dd) 13241300x8000000000000000653222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74822-0xa055abdd) 13241300x8000000000000000653221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:05:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482b-0x021a13dd) 23542300x8000000000000000653220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:59.010{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65BF9A8FF28207985CADA31D3C6DDEAB,SHA256=C432DCDEF0F4C5CF98254981E051FA0F28FD49122FBCC951D58B55E4153510E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:59.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D9E2097FEA1A3F4BF6AB60AE80DADB,SHA256=BCC4C23FB97C9DE577B01687CBFE44663527EDD706344DE2134C591117FE26E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:59.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94453D123BB3C543E3C99A4AA54B79C8,SHA256=05603A413237A2BA4E35056FBD46953C0DA8F8AC0393C412E306F28938F793CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:00.486{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6216D75896DDEFF120E34D078064FA86,SHA256=34CA35AEED8444064C026605F5F1E4897C07169012B11D427601D50834DD61B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:57.707{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51662-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000653261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.401{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.400{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.399{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.398{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:00.203{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCEEF1AD899C838BAA8232C59CE6A9E2,SHA256=10A6BBF8E47F8FED14B04AB412A01491CC0E98D98E51BD848D124CDD40EB7B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:01.503{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB896DBDE1173DD0DC6D61FAC7884F19,SHA256=BD1AAD63E7E0D9CCFECA0338F32D9AF71C91E4968CCC834E062D72F2F6F75816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:01.362{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45251A741DBCFCC19FBFE315E20F53F2,SHA256=03213C8F859A8C7CA4FFA5749A9F94C9973AFA96FE9089D9E3CD5F9351138467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:02.516{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B9B993AF65D116A8E64604B983F384,SHA256=C53A3885444FB3CE2EF7F64FAA87457FAED3885A2DA1F3F01B8166E1339DED08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:02.388{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D715AE85AC334E984A70F4D1208AC637,SHA256=E72CC1BEA9667E48C4071C8F41720987561BDEE966C1A0816549330F3CD8ED1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:59.427{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65223-false10.0.1.12-8000- 23542300x8000000000000000554899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:03.521{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3F1775E3D6BEAD88C72376CFD00863,SHA256=9F5714D38AFE065E6B5380FB90C079196F6C7EEF42F1B84330AC38383106DA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:03.398{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FFB678E17ECA861ECB87AE7D6A3F78,SHA256=0674B8947F45D3D86675047B3894337EDC911DFFD25FC254BB2032AEE0CA869F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:04.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DAC9B013D0468269D2CC34E94BF76B,SHA256=6604F46D125F3EBBA4EE321DD2F46F24978719F6AB5C41C496B9C036D9BB428A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:04.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEF088F0DB5AB12D44A0E1AA031905B,SHA256=EC0D23ED1433AE40739FCE3A145212714AE932B307A8F54ABA7C2C38225F4F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:04.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA8CC5C5A939BA1078F41C492E176D3,SHA256=25EC5D89E9E365E1A222352E8D22896AD917CA68D3212982BB174B561C7CF59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:04.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D9E2097FEA1A3F4BF6AB60AE80DADB,SHA256=BCC4C23FB97C9DE577B01687CBFE44663527EDD706344DE2134C591117FE26E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:04.012{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC3A03C84EF4572DE6BEE3168DF5ABB8,SHA256=2139CE5CF8696F819E5CD8F01AD93691E0BD2EDC4BC08687FE052F1B641DC18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:05.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54816F1AA34A7C350BB70CB38E33B51,SHA256=25BD11BB434560CBAA740DDF367F60E35B165B363969162AB593C5707EDEF8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:05.416{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AD8E2DAAD862175195F36D242108E4,SHA256=B77AB508F4CF15DBB055FCB21D46BC8982E2223A91BBF681F80017833D3750B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:02.788{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51663-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:06.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4798309274753EC55DF7081596DF545F,SHA256=16CFDB9A84A9A92972142E5799BD5E0AD375102D4A12FC8CA3A2940DA3C905E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:06.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BCF9DE200F78D2E7CF2F2A57FFB4C1,SHA256=C37798FD29826399B966BB205567BDE1A9ECB32A73D84ACD6DA3E578028F077C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:06.162{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FBDC5D10B5903D3456157CFB675AADD,SHA256=CE86A5A38F8343D947CEDB17D1046285D57D18F29EFA2BC96D70929FBA662AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:07.433{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DADD0B2BCD5408F0BA1B4A3DF7C3A64,SHA256=3448C4EB7FEB194328A861E7EEBD17A80192AD9DF0C6E2055755A739B8556A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:07.552{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368BEBBC6291E603D1E3D3E9A28BBC27,SHA256=F21C140D2694EDCD5FF610781350792A123C0943FEB270054E2171CDE8B8F4FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:07.228{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:07.228{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:07.228{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000653271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:05.390{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65224-false10.0.1.12-8000- 23542300x8000000000000000653276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:08.446{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F0B1968D2623A0CE5ECF6B09A715B58,SHA256=C4682B4F6A0C9511FCA19FC86D983CCFBCD1F22EE18C0CC315B3FE3D8DFBA8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:08.787{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8CAF221EF802D9EB124C3B57FB4F89BE,SHA256=A4518B6E42AC863368914AEF7443D33B5713ED4AD65777FA1D23F0ECF6681833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:08.552{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB1E40E8350CBF747016D594893635F,SHA256=CB7A1965AF27DDFD82C685069002594A68FE4F8C43B75639779DD2458626E199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:09.680{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF8719396C306073EF08AB65B5F404C,SHA256=B1566D460ED85FE7AE2CE734F5AF4E2927FA533035B47FA1AD5C13279BF430EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:09.568{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BC7B7EBAFEAB217037FC0C7FD6BECC,SHA256=16A9C1938BE80FB36D4A52E503D3827B01912A5F2482D4FA09FF6A864665E4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:10.696{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC350E9F6BC007E53EA15B1799741A48,SHA256=A96ECDB3CE16BB3931AB7F001111C489C7BD2231D01BCA49DFFA0A4441E178D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:10.568{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E77BE34D8662EAA046C102C6B85AA5A,SHA256=3A6EEA0DA2C072CA00602773EC88BE3606BEAA89F419F6E04CAA0FA6233026F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:08.757{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51664-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:10.130{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5E3381EC1C11DE1475E573C569BB34D,SHA256=E0B0AE5B944CA3030FB996607674860CCFD067166F60A982A5783E4F9680F3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:10.130{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA8CC5C5A939BA1078F41C492E176D3,SHA256=25EC5D89E9E365E1A222352E8D22896AD917CA68D3212982BB174B561C7CF59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:11.583{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4105FF89AD2F077A74D0A141E18B7EF,SHA256=86D72DEA8F1A057F184B7CB53D72BDE6DE1517A6CAB1AB89739F1D87CC6EBF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:11.699{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBC2D4308AAAB4B9B834C40FC008AD3,SHA256=8D121E67F6228CACD1751B58108C2DA70A94761F7B39ACB11509BCC76CF2B4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:12.723{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC04396A576D0743FD88EC48D1E8D57,SHA256=8CB4F33F808BB7A02EBD4D0C50484039E8952EDF06595605F2E9014DC97658A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:12.599{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F6145652FE191256B198FB777E467E,SHA256=FCD87B2F5F08F8923CFB3A8A458E62CCB21248A391DC1BC500A7FAE4A8FF3227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:12.178{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=578EBDD6C8C27E998FEDB728CD52FCA2,SHA256=8E1FB961FB90AFDF4831516DC5A5488D01F1C44332905E1957F8B0F919F9F7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:12.177{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1762C67BE437D7CFA1B38215BA160BC5,SHA256=723815993829EFC175C2431CACAA4DF10DDF2D88D8A681B2527B584543906029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:13.729{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6243805F7AB8C96C5627A3399205C,SHA256=6F523BA9D91AE9C5E0A3B49125BB3A73876C5FC5391BEEFFB39530E6CA649679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:13.615{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBA1A2589E2528D24989DED80F66BA0,SHA256=961CF629B73E066D999F9E6EA82C6AE9FE3A867DE54DCCF720FE7B1CB1492C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:11.413{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65225-false10.0.1.12-8000- 23542300x8000000000000000653285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:14.747{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9655543F1726F77760BB7F5AFFB3F106,SHA256=999C88779F8040BB763C1C7E5E6DDEE62256A9D2226377B1AB8E41D04A1DDBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:14.630{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D717AEC2E07328C1F0F3404F4FF0D56,SHA256=B7E7C9C957BAF262D53E21697F490E3CFE3FE2A725B35EDBB486B827260FD480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:15.753{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE7554FE469C075A809DFDF9A2F1A7D,SHA256=124A9817B6C5EC7F69A28DA62DB5D9CCA6036B4BD40E3431BA06812DB6CB5C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:13.882{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51665-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:15.630{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4951C6C462017BE0E5DCFCB21372BFC5,SHA256=D58BA05D5FFC57CFB238DF81FDD9BF073CFB7F52139C9E208794955BB94BD8C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:15.380{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1016924CEDA17A161A4516DDD77F528E,SHA256=0B7116CECB4AA33070848C0AEB89692E8DD79D4626E0A418F50424B2369FAE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:15.380{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5E3381EC1C11DE1475E573C569BB34D,SHA256=E0B0AE5B944CA3030FB996607674860CCFD067166F60A982A5783E4F9680F3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:16.646{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585F291821D36D71D70A80DF2AEC4DF1,SHA256=DCF80A01D4CBBD0FF51E499FDA8DAC5BE80B73EEDC081BF3378287A43B57157B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:16.771{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FE57940230739745C3F9A8DFC466ED,SHA256=2E7AFF8B41A8C0BBE8D7DE636F5D22A008E3CA22E26D6B9C172C9EE478C1C1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:17.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF8CDED8ECA50BD9F35DF7E43EC551D,SHA256=AD64A65ACFA2FB039425B282A82EEE33A74506C438847D31B13D5671AFBBE951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:17.782{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4B06589F7F76E7CD53005A82E92F16,SHA256=0F6D31B899DFFAA29117661B23E562818E979B86459C973BFCEFACCB88CD5F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:16.473{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65226-false10.0.1.12-8000- 23542300x8000000000000000653289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:17.241{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDF0D6292530965F324CF622CB7ACF58,SHA256=4F008A74FF10CB66564C1C8495C622910E7B662185D8A33FEBE264C1C44A8361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:17.240{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=578EBDD6C8C27E998FEDB728CD52FCA2,SHA256=8E1FB961FB90AFDF4831516DC5A5488D01F1C44332905E1957F8B0F919F9F7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:18.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17809AAB34785FD7D7A52867B530172B,SHA256=483C3E4C2898D31727ADB40286392BD7BAB23349E87390BC60E15E9D2021AF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:18.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833BBA56B513398696DACA23D618DB2F,SHA256=3847D5648898AE9B8D88668ACFCB9A06B039FCF8D91E0D93B828C3521807643D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:19.809{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D88A6274FA5FA52BAE6B462AD20247,SHA256=BEC55D7EBDA44A01631CC004B2A6BA60121423502D8AC4E652FD0694E0C75B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:19.677{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61B7BC24C87F82032EEE5C47FD93D07,SHA256=12C2AF87CEAB342357E7A8433C03C0E70225825D447C5C404A6A3FFA89F3C594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:19.007{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDF0D6292530965F324CF622CB7ACF58,SHA256=4F008A74FF10CB66564C1C8495C622910E7B662185D8A33FEBE264C1C44A8361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:20.841{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205C3929F4581DF193C21B6F704BAE06,SHA256=278A12A03DA5C1F57B6980D6C5BBCFA661783D5D7E3FBFDB487D48C3A54DBC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:20.693{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46E49F7B078AF917BD3EE61383BE3ED,SHA256=EA46865E1E1E906B7C1D3980D388FC7702DDB48088BC432935DEDD0A434817F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:21.852{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1F506D48B1CACDD05206C7E6EA250F,SHA256=C4633412B827160861C599E97E93F98A15B24C716A0F1CF30B688D65A3B3F9F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:19.804{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51666-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:21.708{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC43BA3517769AB00335E18B7529989,SHA256=1B71DBC79347700A6C05D1882E77086EF70FBDB58B827F54DDA9D8E41388C8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:21.193{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3EC91DF32F600F02D567F9BAD802D17,SHA256=556FFC80B853252049C2A358116FC2B7E03875DF41756C52DF8FCDE289A20A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:21.193{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1016924CEDA17A161A4516DDD77F528E,SHA256=0B7116CECB4AA33070848C0AEB89692E8DD79D4626E0A418F50424B2369FAE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:22.724{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C4A0A1A67B0B38CE4038BFDF0CC7D1,SHA256=420D42BD3720BECAF1990CF857E737D3D313B68FE34C507A33950DBB04DBD69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:22.872{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42E44F7FB2E2197D0342CA7C1EC2867,SHA256=66585F1A995CFB5D05E0FA81D44A9E3FD444392550A735C79470ED12EA187ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:23.733{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023CDE9A612F66C999C8A140CB99C6D0,SHA256=616846DD56A1B4377ECA2E5068B951B2C068FE07276FA6F4EDB58D571019F0D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:23.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB37797C139404F83393F38FAF845D8F,SHA256=5CBC2DC8956427B7DAEC58805DBDF2A77EC5D4447B4DEFD440D873A74A3631A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:22.356{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65227-false10.0.1.12-8000- 23542300x8000000000000000653299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:23.129{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0F8CFD9E857149E3F7631026CB27485,SHA256=36C71E006600C7C5FE7FC5CFB5386C876051822CB1C8069843DF5A6445FB2C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:23.053{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:24.907{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916193FEBDC4534734909ABAFFE15209,SHA256=A28474FE042C844707A072B067749FA99AC68718A30D084809228CD548D94919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:24.749{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91E9833F4FC37A9D4516F2F49BEA70D,SHA256=1B7C7A4820F9024EB2F9EA6D84EB16697D64E566127A12835F6F613D322749AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:23.268{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65228-false10.0.1.12-8089- 23542300x8000000000000000653302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:24.386{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=310832697E118D192251FBE935F50B80,SHA256=25DFA944C062D783D085B7AFE76F82FDB0094EA1F3C094CF77B90F56AD087A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:25.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B85478343B8F51DCAB2C554B2C821AD,SHA256=A270F47AEC58A61F1C3C9EC59248A867CDFDD8F1846403AA1B0E4D0E2461A0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:25.764{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E8242A6701181DCCC0133D6E2EFA54,SHA256=7F6D5889161B931637C9F3085BABD42B95134060D7EF0948B987E93ACEBB1E17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:23.615{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65229-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:23.615{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65229-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000653308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:26.947{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3F9A7AC7C4EC4E5B16F67E02CBCE05,SHA256=48B82C8C52FEEEF75C99B9C60FF6656E3D423656674E65D39E52252BAF2AE7FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.952{E1BD9FC2-6AA2-609D-7B4E-00000000BB01}3328940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AA2-609D-7B4E-00000000BB01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6AA2-609D-7B4E-00000000BB01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.827{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AA2-609D-7B4E-00000000BB01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.828{E1BD9FC2-6AA2-609D-7B4E-00000000BB01}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:26.780{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC05D3B8D426E77C29AD356C514C1839,SHA256=DB04ADB4C51006A83C0E8FB8425B13C95205C5C4CAB022428346193550C6134E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.858{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1FDBD1D5DCD7FED9F7131CE22CA132,SHA256=C3405246834A602C33101E41192E2484AC300C237FEB21B320D14FEE813AE24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:27.956{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC1E13F037AA98D7D4456E045A7D351,SHA256=BA326EFA400939DAF204343908D4CBE6145740E8B8CB040ACD9881C7927B38E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.702{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AA3-609D-7C4E-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6AA3-609D-7C4E-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AA3-609D-7C4E-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.499{E1BD9FC2-6AA3-609D-7C4E-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EB83B82C998B4EF7664739B75AEB9E,SHA256=6AD0182319E8C5D0AB59BD1829CB41AA152ED1D3413B3C142D55CC82ED779926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3EC91DF32F600F02D567F9BAD802D17,SHA256=556FFC80B853252049C2A358116FC2B7E03875DF41756C52DF8FCDE289A20A1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:27.328{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51668-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000554981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:25.813{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51667-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.530{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EB83B82C998B4EF7664739B75AEB9E,SHA256=6AD0182319E8C5D0AB59BD1829CB41AA152ED1D3413B3C142D55CC82ED779926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AA4-609D-7D4E-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6AA4-609D-7D4E-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AA4-609D-7D4E-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:28.171{E1BD9FC2-6AA4-609D-7D4E-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:29.093{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497B083D658B4D7C793A52D20F86019B,SHA256=349B1F2CAD49B59F604370D189DBDD6EF1259E5268537557AD8DC801877A1271,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:28.291{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65230-false10.0.1.12-8000- 23542300x8000000000000000653311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:29.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B86201DE22B6EAD4D92A0EB3A9A75D3,SHA256=659F166941DB5F5E1B1C0B2728345ADD9FB2377476DAB335153DAF6494021921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:29.004{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0EC3B8B5D86362834CD53EE42ED558,SHA256=813904DF7B04304FC8E744FEC965E37833CABB3351F5F672E3A3E59EB24D40FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:30.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FC775B2F479E608047A198EA1DECCD,SHA256=77B61392E1CFCAFE3F062952F23CC8660B921245EB5A99298CA36442E101FF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:30.019{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E727E34E4E982CD39A1B15E3208C485,SHA256=83B1AD34093AF81234B7844550F76B798378081CDC556E073CDF4BEA1D37576B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:31.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529C586B0D96467A21B6E13B2F0F2E1E,SHA256=13EAF1183FDBCCF38A2A0817576CF084BB69CD899612B5034ECDD4829A671A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:31.035{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A899D84596380743AC98A01AAA6CF52,SHA256=B1011A6E60C31D8FB2288710D8F36E592158020F2445EA00DF6549C9165E0A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:32.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A56971BB6E38DFCC219E2DCF7A1D337,SHA256=AB3C1D475C7EFCA4D61095D39527E7B52D4DA6820940008FE3B983693B938C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:32.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE173171CBCDA81142C012B47A3E515,SHA256=FA5B0E1405ED3AB9E6165B99927499F36FDDCD68EA87E3C505A565586E395BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:32.039{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B766AD28E9313BD5A333848A97AF59,SHA256=CEAA514E7DA38D63E178B836E17EFB4BDBF2ADA049B83F04AD9BFEE94B48C954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:33.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1702F68BB9B0338CFA74FE73D19D28,SHA256=2E2D54868E48C2F447CD49BF3858912DD89255E62D884EAC73FB2B554F6E59ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.986{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42118F399AADD74C6C99FF5C05AC5E17,SHA256=1BBFB6C34690A51D366350FB8DC29095D8AA8E7102F4CDD0432793373765087B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.062{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324648C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000653316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.060{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7DF7F7CC211A9A3CD918EF711F93EF,SHA256=26F70AFFC535E5E4701E97DDF67A53FF6274C6F41392A83F67FED92607CD256F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:30.844{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51669-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:34.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF344312F306E981C83791C42864675,SHA256=8AB3FF954D5CB4A1938E586294ECC72ED181B17F81ABA93209209B11805E8A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.303{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65235-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000653328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.302{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65235-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000653327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.300{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65234-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000653326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.300{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65234-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000653325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.299{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65233-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000653324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.299{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65233-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000653323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.218{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local65232-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000653322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.218{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65232-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000653321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.206{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65231-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000653320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.206{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65231-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 23542300x8000000000000000653319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:34.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B1FE3A65614F68AF0EFA82F85B562,SHA256=0F5DDC41AC2E8D183B544A26BD95DFE8DDD08F342192D23F078B9C8646884BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:35.218{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D5B05F6B022B141D3DD77E36F959CD,SHA256=F81A5B39872B32532606FD97CC6736658C7C6981CBF9377E57A7DA0C5E4CD14C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:33.391{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65236-false10.0.1.12-8000- 23542300x8000000000000000653330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:35.087{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD43CF0352E7FA88FFB6B97BF7167402,SHA256=67AEE522D783FCF5BD889E4E89E48C8E9602D7EE39FE1E454B06B0C5608B6C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:36.104{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2BF9B2C524AF8C767814A232CD0585,SHA256=89E8D73425826D32763E7D58F953429D97F0CFFD747C33876F979716FAEF8BCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.717{E1BD9FC2-6AAC-609D-7F4E-00000000BB01}32444088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AAC-609D-7F4E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6AAC-609D-7F4E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.592{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AAC-609D-7F4E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.594{E1BD9FC2-6AAC-609D-7F4E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D81C1AC4DB18E2314DB60917E331822,SHA256=070B69D509CCFC296080B8910B6A99232E4C816E29B298106AC0607573859914,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.155{E1BD9FC2-6AAC-609D-7E4E-00000000BB01}37923720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AAC-609D-7E4E-00000000BB01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6AAC-609D-7E4E-00000000BB01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.030{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AAC-609D-7E4E-00000000BB01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.031{E1BD9FC2-6AAC-609D-7E4E-00000000BB01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:37.110{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1010132B0FBB579A936F1E90EA8300C,SHA256=939CC21D2DF394FE84101919D42EC466EE75FFE47F69A66FB43E0043A244A47C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AAD-609D-814E-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6AAD-609D-814E-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.889{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AAD-609D-814E-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.890{E1BD9FC2-6AAD-609D-814E-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000555036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.343{E1BD9FC2-6AAD-609D-804E-00000000BB01}2868100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.280{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDB844DC92E93E5CD3DF54767382C5A,SHA256=1A89FEB1ACF5E5CBF94D285A6DAB15E8CF31197E5D868FD69BC2DF00C60B9617,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AAD-609D-804E-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6AAD-609D-804E-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AAD-609D-804E-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.218{E1BD9FC2-6AAD-609D-804E-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:37.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F741F2599444194E9B27BD43E71F453C,SHA256=99E001C0417694E013344A63341D5DDC12FB4A0E191C38AE554FF00560A6BF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:38.311{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673B02505AA1588019D6BEE37E7010C9,SHA256=851435BF2B408B59E0E72A779405CE51164333503CB020F653769928E0BE9ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:38.119{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D135A421AEE641B7B100487C451D09E,SHA256=9A93635E0FC749B6C4605825B49542962B5D463FA9E1EC032EEA2B943129A24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:38.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53E46379F04FCDBB7C4AE055C4012A6D,SHA256=D453345F8DE83BF28381B6BCA96545F57F73B6CCBD3E92D0BDD595D712B41BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:36.828{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51670-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:39.311{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48E740AA59CFB3F443F8F5B453B4EFB,SHA256=C69049946DCD70B5A8169D0D64AE4745C78CB8C9C05DC17A021CC0A99828922B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:38.444{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65237-false10.0.1.12-8000- 23542300x8000000000000000653337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:39.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E400732C37A3E067E8EEB086A29A52,SHA256=5CF078D1665E06D025155E5DE6561DF6F5E94C0E70AD8880A889FF708C70CA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:39.025{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F6491E26CDF2D667150E9E9C8D129C9,SHA256=C499F786E9B0997D16FA4470FFC14132A8636483C923F7A7B97F85A1E480828F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:39.023{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE927129EE70C4ACDC4517951326191,SHA256=0DDA1B068CDFA095C1859C49FCDB82BC515ED0F59BB80E9A9FAF1F47D8409F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:40.343{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB066C8D6016354135728082353720B4,SHA256=A1682BE0CA0A7CED7F6A0E9DB8D74A8E5FC3DFA63F229735C817C84919D12D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:40.154{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED15D06362D09A3113CBC69FC7D2EA4,SHA256=A492EBFE27EDEFD1DED77E131AFFE3727A251799F7C456053417C8D999027755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:41.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F99EFCE9E3D6CF3E527053525C975E4,SHA256=6D8649DF5D26404FE52477B2C4E0C0A3DECCE44D111E239363CA72D560E9321D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:41.172{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8324231D57C0347C9492C96E8A895BA9,SHA256=0E597E867882B71030EDFFF5376A92802242C16E532F6DAE0DBCD72EC7B7D0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:42.374{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1866F1505FBDE2DD38E0920E88B1343,SHA256=A41B58C8315DE31C67D02E3024BDBE17326232B0728FA1D74ADB1F4619B91503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:42.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FF854C6312A682F53E26F117B115AC,SHA256=18A214BC7B8F88C15640098E0024D8683DE606F33D96648DC76887FB431F47C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:43.410{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237F4EFA43A61BDC3DC527DB9F99DDBD,SHA256=03039C9F75592B4BBEDEE1C3EB3AE62EC2CD2495436F6A324CC1580A49D638C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:43.190{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85210C382428059A36B1F5FF949A664,SHA256=131111C83C114AD8518C2D63D4D0F86A48AFA2B4E0AD5A2AB673288AAE097DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:44.426{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD88B0044189962789BA302D212C9996,SHA256=DFE26690853C4ADF7BD7B22AD9E8131C5DB525543345EB4272C08C6C5B392FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:43.453{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65238-false10.0.1.12-8000- 23542300x8000000000000000653346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:44.538{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa295364.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:44.198{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6068E9E3D57AFBA0CB9206F25C59D2,SHA256=9298BA3B293465B2DC63EBDEBD0E96F4AF3B72762F5AEF835CE1358BBDB163E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:44.238{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=273A9EE9D2EE74A4D61D16666054E3C1,SHA256=2ABAD9588F95D74210EEF9CA14EFBA06C25BFCA19E1BBD04DE1E8B3D2863AD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:44.238{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E7A8853907525D4BB8C262A329F2E67,SHA256=867C79039CBA11777BB7D58A25CCF950B68DC5B2B29EB0160B9D866A68223833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:44.041{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4537CB17746FA6863A8BAC8C30B3E162,SHA256=383FF61CB0138DBBF1EDE770E51AEDEC658C18B29689F78AE37CB90FBB879734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:44.039{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F6491E26CDF2D667150E9E9C8D129C9,SHA256=C499F786E9B0997D16FA4470FFC14132A8636483C923F7A7B97F85A1E480828F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:45.457{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A947E830EF2E6E1E32DF025DE67B03,SHA256=6537AB6B454E527FEBCFF479D089841F281CE7C04DE90C9CCE2C3916B92C87F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:45.203{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3738BE274041738650C44968A80098D,SHA256=605ABD88068A3C44707F6454862DD18037C27C5DFEAA27B513B439A7737B6463,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:42.849{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51671-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:46.488{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD59539CC492A8BE9B7FA16F3B0857FC,SHA256=CA7E06C8CC03BDDABBE4F9F800E166D7F122214DFA2AB2CF5D498A5607E1B684,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.995{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AB6-609D-6C53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.993{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.993{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.993{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.993{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.992{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6AB6-609D-6C53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.992{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AB6-609D-6C53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.992{7B03F3B2-6AB6-609D-6C53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000653357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.312{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AB6-609D-6B53-00000000BA01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.310{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.310{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.309{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.309{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.309{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6AB6-609D-6B53-00000000BA01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.309{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AB6-609D-6B53-00000000BA01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.308{7B03F3B2-6AB6-609D-6B53-00000000BA01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:46.235{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A57E5E8476D6FA6966633294EBBD366,SHA256=677A3FF3671321EA9F01F56789ECAD5473301A8FFA8EBF1F1C924FEC9759F6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:47.488{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEA57068A8AF7A9F508FD2F92863634,SHA256=E18645BDFE1117FC772BE217917DAB0B388E1A96043A4F97B472E4BFAC0F09D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.512{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AB7-609D-6D53-00000000BA01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.510{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.510{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.510{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.509{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.509{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6AB7-609D-6D53-00000000BA01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.509{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AB7-609D-6D53-00000000BA01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.509{7B03F3B2-6AB7-609D-6D53-00000000BA01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4537CB17746FA6863A8BAC8C30B3E162,SHA256=383FF61CB0138DBBF1EDE770E51AEDEC658C18B29689F78AE37CB90FBB879734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.251{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A11F229DE3389AF136351226CC79F1,SHA256=E78E8809778C967159D0943654C2FB53D044AE1D8066BC5FB90FBC9132550F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:47.154{7B03F3B2-6AB6-609D-6C53-00000000BA01}77845116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:48.504{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4942633C3781BEE807E87333B895D581,SHA256=BFE011284B595BEC2C72F2169EE97A5ED45238FEB0D52C8941CF53A6DFF186CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.644{7B03F3B2-6AB8-609D-6E53-00000000BA01}72844816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.518{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DAEE78577D1371898A369E42AE13E8,SHA256=22500050BFC8482C70256DC0298782D41EBA72216E70001D75FDAB2830E2EE49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.489{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AB8-609D-6E53-00000000BA01}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.487{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.486{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.486{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.486{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.486{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6AB8-609D-6E53-00000000BA01}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.486{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AB8-609D-6E53-00000000BA01}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.485{7B03F3B2-6AB8-609D-6E53-00000000BA01}7284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:48.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED00CDC8BE47CBE1885BCD10AA53B65F,SHA256=7EFC6039C819023D388721AD62A82875B4AE3BC2CC6368371F32931DA77D8791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:49.519{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC52A3EE889F0980429BA57FA7C8BAC,SHA256=A8136483F325013213F87634A7C2C809B6B0962498D08476656086381799354C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.665{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46974DBA5D48E744BAB6A94A4887B53B,SHA256=0768FD73D69392B00061400FDFB7D76E275D5107242E9E7199C07129664AC992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.316{7B03F3B2-6AB9-609D-6F53-00000000BA01}80567764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.282{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEAA878FD61FAB70B8BDCB2FB776077,SHA256=089D39B461DC41EE6729D6A8160FB117AA83ADBEA76076E4F5B8C9D6AA0382B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.169{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AB9-609D-6F53-00000000BA01}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.167{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.167{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.167{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.167{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.167{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6AB9-609D-6F53-00000000BA01}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.166{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AB9-609D-6F53-00000000BA01}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.166{7B03F3B2-6AB9-609D-6F53-00000000BA01}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:50.535{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACB1562EEEE1B650D175317C5E6D4E8,SHA256=E608AC2B7A1D76E0A80A6FC41C22AA828839FDE785682F61728AA09D3A129CE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:49.330{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65239-false10.0.1.12-8000- 23542300x8000000000000000653399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:50.316{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4E7179FB996FF62D0F6BF97ED967CB,SHA256=6CB3BBD4C307C7D3529EC9C0EE0AE364518C1BC6971884B0B76BED49973A828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:50.254{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C97AFD7527A8A859A056C29A9363366,SHA256=A001B49B1456E474D3AAA9B28F5F81983293CF08CF4A11BCDA956F23A1F2F27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:50.254{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=273A9EE9D2EE74A4D61D16666054E3C1,SHA256=2ABAD9588F95D74210EEF9CA14EFBA06C25BFCA19E1BBD04DE1E8B3D2863AD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:51.550{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DB198B819E9EB999656C7F5797EF39,SHA256=B8F13DF731B5F244EF868EA654E4BE74C557A1CCF472F2315E6CA071AD7661E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.473{7B03F3B2-6ABB-609D-7053-00000000BA01}68725260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.327{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D345A4B57ABF5A01A5310787C72669,SHA256=9104CDCADDB5E19B3DE04E3CC4A3392408F613D2BE7EE47EA4156D398E37D955,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:48.834{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51672-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000653408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.296{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6ABB-609D-7053-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.293{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6ABB-609D-7053-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.292{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6ABB-609D-7053-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:51.292{7B03F3B2-6ABB-609D-7053-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:52.551{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F2664A8CBCB50E3F7637B3D1A9F8A0,SHA256=BD42E44C6BB7034D6A2EF325E0600F7F88DBEC1428846452D8AB93D250133347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.959{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2479B3F2C692AD86C4F481F2A1ADC12,SHA256=9A8A03B9E87F73169F0C81EE520C2E63A2803B9EB203EB9707834FEDE0566FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.349{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF943D63785B92B9707E278365A5D9D2,SHA256=184407474C7FF6DED926676EDDE321926BE6D3E602027E4051E035816A9CF5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.299{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=131BA57BDE92B72CDBED14F63053AB1F,SHA256=F42633AA99E29BF26E50FC50669D4D5850BB4A6AB00B5B0477B14B233A87CA0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.051{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6ABC-609D-7153-00000000BA01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.045{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.045{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.045{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.045{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.042{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6ABC-609D-7153-00000000BA01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.042{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6ABC-609D-7153-00000000BA01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:52.042{7B03F3B2-6ABC-609D-7153-00000000BA01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:53.389{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABCEB1880A0F86461F5074B57ADE255,SHA256=AC6BA9461C0685F5A802E3C1B17EAC7F8CDB6FC9A6B0227B1FA95AF1666EE635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:53.566{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5956CD2E6169C7C2E065F8A6D1BC0A88,SHA256=89148CCD2EB050C43D1CF290AF41E5DE7B7783A522916251EC7744287D905085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:54.597{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901A76D1489F0CB89CDAB3BD15DB4F79,SHA256=71DEAFE2E9F3E05CBE22504B2B30BC621D286119853E2DE01444D8DE6F6E5340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:54.401{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED633CBAEAFED7E6D6F38E3BAEF63B4,SHA256=54EB9B0BD1716E11DC524182D1DCC1A8CE1093A74A0C675C923E755098C923F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:55.629{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3566A05C39EF1CD2763AE40B9D316A61,SHA256=958AF50D2C1AA212B58ADE68B06F85A1AE3C5D052D371E347A1048CB798F0085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:55.404{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D001B4CABE8F4F986B67CA6146E6919,SHA256=AB9CA1B7AE411FEB519F347CB51B4CDC27172C02424053536B4B3C4B360581A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:55.146{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=724E749EC55C5196E7D78001CC167067,SHA256=EEC3012A5F83E227BF1A0F1E5AF04D80085A41FBA5FF0EF2A51E3B2BFD7A92EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:56.644{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557DDD4FE1C11F710B9C71283F36FCE7,SHA256=FE38FE129113F3A6E8E7D712CC24C8C3625CD5171B1CE9325B7F394691714AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:56.434{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251050C0371F4BF21864917EBC388837,SHA256=8CD87F655C45CFBC71AA01805074220C38FA63FA0F661BA7A86F96A55ADEF4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:56.066{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25052EAE55E81E5C8509B09A0FB59D7,SHA256=6D124B4E05D5429757A70D3E8F012914031C3854FD6D3203F5CE44B873B98535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:56.066{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C97AFD7527A8A859A056C29A9363366,SHA256=A001B49B1456E474D3AAA9B28F5F81983293CF08CF4A11BCDA956F23A1F2F27C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:54.377{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65240-false10.0.1.12-8000- 354300x8000000000000000555080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:54.693{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51673-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:57.660{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA69154DA0949D7E38A34BEAE5D6F98A,SHA256=37CB72C59942C0B03E8B9FE22854DF81895B30DA04BEE50972F3F3EE0DF66DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:57.448{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6063E037D256F8A80FFE42E1EFC7A4,SHA256=BA2AD49B911ACD66416AE096DDD051558AC5AE319A7C81396EC8500C0F48CD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:58.691{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F8A2C7E11614439139843EACC6C27D,SHA256=895F7CD2A5609AB6B0B7CEAA863936C69B11F63108B701C11496B43AB07C865D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:58.461{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CF578719A809204258617CC7F70F06,SHA256=F89B83E0B697BE43134FF0E99A597066989F3EAE4E1CD9596D6060D1F736A40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:59.722{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16450C0F21E22E7B1217DC93F64BEC24,SHA256=0AE5E731C91F7057E00F631E875DEEF600071F1CA73C1DFDB1073B747AE0D02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:59.468{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFE2FF843D043BDEFAA6EC65436440F,SHA256=C92855F2D05707B0886009096B6E158A7A873F7F86DAC73C243F0380570D3AE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:59.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:59.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:06:59.040{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE056D0C0ED2C3D984F81BD907A21111,SHA256=0F3EB64D92F25B613FC9845D75501E6E53C0DA2E3C975DE8A779377A7BE21424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:00.722{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50827A295A1260809A9A485147CD8D91,SHA256=B8477434327060D79C8552321F69C02EFCDB8C27E0717B6DFD33D34FAA9F54AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:00.474{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC222121EDAF7E4FC5A0EB5945829258,SHA256=ED13CBE1162C2C88100C4928D88D827139A1ABDE25544AC6028FBAEA8936AFF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:06:59.755{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51674-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:01.724{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF461BE2D9C2D027CC34B4995AEDC46,SHA256=312463FB5E8B1140EA1ADE5111B894F96E7F0BED6F570741DC96C9D46764A08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:00.295{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65241-false10.0.1.12-8000- 23542300x8000000000000000653436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:01.484{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9A1F0DBECD2E98AE1DA4AD2E574EA2,SHA256=DC1989A21623BC327F0B04AFE5923ED658E1547D8BF1210B9AF3AE199ADB3224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:01.144{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0002B73C814B42E4006246B2B132F1F3,SHA256=CE75F4BA3677FE53C168E77206C576C28E476A25C2CEFA4AD21F858756571F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:01.144{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25052EAE55E81E5C8509B09A0FB59D7,SHA256=6D124B4E05D5429757A70D3E8F012914031C3854FD6D3203F5CE44B873B98535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:01.065{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D118347E463D1011F816FB6F39859FA,SHA256=33322ECFAEF6D708E7052BC29BE60F736E566F10977B98E26747CD3E56CA4034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:02.846{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479C7ABBD21391BC77F2D412E5C68E66,SHA256=E39A224F39B67EB33E05923F3DEB3E311D9E60F6E9FE045F4A80F78EFCB1E726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:02.535{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174D8003B71F4098A8E3EE8CACCBBE63,SHA256=F62A7F8178B472B418FB8105BD8B9AFD558F490BEE4992ACC1260600F29076B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:03.853{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DF877C630DEE6A95621C4EC61691AB,SHA256=FE69E55E1AC635CDD9D1ADD32AD92A62804BF61E0716656C1A4C60F703E73EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:03.548{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76A466780FB7211B464DB56151398A4,SHA256=7513769025ADA1F46910277472F25B9CEF65A0E240A41388DA571DDE35427CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:04.884{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6872980226CA28ACF7055511BB368F,SHA256=BE1829C9FB783E33302B07BFDF3DA43F30614495043FCA4A76767B3CF0609AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:04.569{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E462B58778DDB72D5CAFD4C0207D3AFE,SHA256=ADEAFD37A258C78861B937E54A123A3EC775385221FFBF87C44E73521814EE38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:04.049{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59CAD707D2AAC969233B87E75E7125C7,SHA256=886B3267FCEA11F6F729FB0795DD3C33F27A5DB3F0B1286667B35CA005537902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:05.884{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B18E59224AAC88C06258119D60245F1,SHA256=8B6522B6B7400BF4ABB60B1335C4A9916BE785C7F9E3A6C65CBBA541877F20D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:05.575{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0512EB5373DB5F1E3AC5BB49ED751BA3,SHA256=0589D2C83D83A61958CA384C050BD411A1A9F52B29D1A1282B5FB8984B49A3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:06.931{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EBE92FAEAD8EDE37C78685210516E4,SHA256=566B21105F355BD0B50C18CEE002EB6C2309522E04AD6295E018F875A65EF7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:06.600{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5558B4DFEE6CE2CF6283894FF5C6C1,SHA256=D84CC41EAEEDCE9851EEE02EA2F1416772AE872A6DA68F407476E26083304887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:06.243{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE979A12DD2B003E012874ADA8BF940E,SHA256=7DA8D39BC99BBD521E904FFCD4312619AFE28260C23BEBE2DF8708A17D4DE0D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:06.243{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0002B73C814B42E4006246B2B132F1F3,SHA256=CE75F4BA3677FE53C168E77206C576C28E476A25C2CEFA4AD21F858756571F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:06.235{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=378EE72F1938186C37DD62BBF7AA768E,SHA256=CEC9754A7EDF75F43BC1A053B728AA42F7756C20A8CEB589A908C97691A16CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:07.978{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8BDAF79E4D8CA7867A9A27A7F24B31,SHA256=F986421954B6F9A0AEC8D4A7948C288EEF13605698CB7940BC5EFAA2F03E7E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:07.605{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426CE5D234119898B46DAEAC9CC26D60,SHA256=FC253F804B17F9544E4D1B6F9AAC3DB57F378E42E11584286D4014CDB8A37E57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:04.870{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51675-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000653445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:05.465{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65242-false10.0.1.12-8000- 23542300x8000000000000000555098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:08.993{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C3B19FA83A71345CDE545371385C4D,SHA256=F4B7A6E9CDF7084A3CEEB500A7FBF5CB3A2D3F6CB54095BF3E36A5471CA42EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:08.625{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD0A9DC5AF37853A3FF66D3C50CB72D,SHA256=52B59E09703B7096CF2DE08B808C83006DD73320D2B46186D87C739A87D68A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:08.790{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=74B19DA748E2260B755460E92F16B1D5,SHA256=981BFCF25C3431E1BC8E1F5391660D6C0409776D0ADCF7F1FFFAB0D5476AE9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:09.666{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4634E934C69405C7B95E18FE84D683DD,SHA256=82FF0694833001D8A507FF299F1A7C78E55267C282871B753924D310375A0FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:10.695{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E5A1689AA131E4B527C3AEF7AD7F66A,SHA256=B2D714B18D32AB3FC9E9B29C242841846F248D03D785B95536D8D6C46A16FFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:10.674{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81379E4AE5AEB7DFBCBEAEF3220EFC71,SHA256=27C0192078AB7AE60452B26156F1DD4EFAC85A8E6730822FF82531B912A8912F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:10.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0D9FCDDFFF02E3C2F62B0E1EF5C35F,SHA256=80E81D24A444D611467363D60DD14D56B938C99E258061EF4885659A24DD9A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:11.734{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A57FE457086612FB99765690769BC2E,SHA256=4DE93C384FA88766863BAD98D8D816E9474E5BC91178EE669EA68D80E9347832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:11.103{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6ACCB9EBF3618D491775536E5183F15,SHA256=A75026EA2BD6897BB6B6E6AEBE75285118AC9715EBBB907DFDF36E8DE84B51DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:09.923{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local56245- 23542300x8000000000000000653454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:12.750{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F30D2EB74D42D6EECD9ED7EE28F9CB,SHA256=AE4FC1771F2D8AE278F981321EB3C5F3920F41B583ACDA35F9FA2B504C161CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:12.212{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66EDC82A9509AEA63A7BD3E10779DEDB,SHA256=86A2D3730C8C4C26672503888B566EC66FA8970EDE349566C0DD84B8B3F638E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:12.212{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE979A12DD2B003E012874ADA8BF940E,SHA256=7DA8D39BC99BBD521E904FFCD4312619AFE28260C23BEBE2DF8708A17D4DE0D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:12.181{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD512E10013807A192880E42CBDC6B18,SHA256=464B8766F87F52E553B857D1FD2DCA7A2B5998C409BFF4863ACD2A5D16DA52C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:12.125{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08BC2D78283C887773CF84F87D8EEC2,SHA256=C056DB66E3DDD70AA8393430E30BBBD07749CDE6B412CAA57D2D7DF1BB344AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:13.763{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E39E6D22B7E54BC9E7D7D342BA22DE0,SHA256=09C161A65F13653A59A1CBC3A95AD533A944F4FB7E7E4A5ABD643556433DA181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:13.181{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050337E863E89325FD3970178EDB9981,SHA256=28FA5261B5D9F5018EE79B90AC85C14BA5DF9BD7F99BF43AB2243059938677E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:11.348{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65243-false10.0.1.12-8000- 354300x8000000000000000555104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:10.854{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51676-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:14.797{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BB46520179A108622B8DFC98F09DCB,SHA256=DDC5D18E21D5F867DA0F6949523146A22E32FE6FC935A4F789ACC37A9EA993C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:14.196{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A2B23501B842214F771ACDF8576687,SHA256=CA899EC9AF5D44F884631DB7537ACF26581DADC40ADFCE7EDDDA2E6DD6749B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:15.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6107B486655CCB1B3201ECA290BD68,SHA256=264BE59FED2B6CC8F7BC74A726F81EEE015C0ADC237BC809FD27681EF39A30EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:15.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8166B06DE79F26B15D37DDAEB4CB69B4,SHA256=532EADF4707ED4EE2EBB3BB635CF81740EEB5AD7F0FA8C14304FC188B66D5E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:16.860{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A873BFE7BBEC764AFF7551855731BA88,SHA256=8A085A965B443A4AC1D3F2CC4263D36EAB32112719776D649CC4C47AA282AEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:16.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE551B558C839B26B6BA742EB8C303F1,SHA256=7783610DC595896A8408F5360848CECA409D7A90B32A4196AB3EB9F9CF5BCA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:17.896{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02C367CCA83730BCEEB6542707AA7B6,SHA256=28C8FD2D9EF10092D6B687C2BD5E37F0C8C7D311DFF9A098FC633D85A7EC35E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:17.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F480F0B15D8509F478052A837095878,SHA256=717D6FBF795188C620CC8E22059287415036A813AFCC9FE14C115F7E621DA889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:18.921{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA2E985B746F449B9D256A044C90755,SHA256=9E2E838D567F42F09824F9E7DE75E5A7AD68BEEF796AB730FD3C2461031D370D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:18.274{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF77E4C454CDA012A48F18E4990DD3C3,SHA256=23C50081138D2405F75D0B6D4EFA79F76AE098C2FD8BA1B2AF747AFB55F7BB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:18.073{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE9240E58A0B5916CAF3680B3E758A5F,SHA256=9AF2546116BDAA80E8D757A53B5CA7E05C9302596E39B99338CC59A8AF668FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:18.071{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=604D41C7A767B504BB4D053C3D3C9280,SHA256=D520D0B43CCC906783135F00A8EC2E736AA39C159D843EF33BC2E04C45B30169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:18.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CA86C571914AD8E49FAC58FA137EFFB,SHA256=6399336ACEC2820559E7286753C12D4349D04CFE58F4B698CDDC49E3A20F9375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:18.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66EDC82A9509AEA63A7BD3E10779DEDB,SHA256=86A2D3730C8C4C26672503888B566EC66FA8970EDE349566C0DD84B8B3F638E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:19.924{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC806BFBA9E7F933A7171A492359926F,SHA256=D8C7C0072D4D072136FB4619B7397124CE39ABDF6F7568A5DD194802AFFE0992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:17.307{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65244-false10.0.1.12-8000- 354300x8000000000000000555114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:16.667{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51677-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:19.274{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F15547F9060A3B6EE92DA1DF31F96D2,SHA256=F7C8766FABCA3F59F71BAC13B09473B40D509E27265BBA0707B37246ABF73B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:20.932{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3084B84CC2584156269B7A5B3D26561B,SHA256=561A58EBA387A25B2BDB9D04DB816D5B94D353A593F1AC73BF0E2D9D24789BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:20.290{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF18AB3A1C3FF0A50CDE64EE930CC88,SHA256=74B6B17CB172ABAEF9BFF9F5DBA932415B1B47251454E51A56F934F9367B9DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:21.939{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E6C6FEF892EDAA5B198663BD8BD7DF,SHA256=32A102D734CA25D77D21838CD773C551A983BBC67D89D1542F09BC8EABB665F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:21.306{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901732CD05C93F8EF357A77E621D6F93,SHA256=89AAF06CA1307EB4D67677867CD3D55897919397B5EEE8B230D1680EBA6BD653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:22.948{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3600A14AE5D4FD97A8C9AAB9EA73AEE8,SHA256=212CB6070CA199CE662081BD903ADB077E19A6FE2AF6204BD008261D2A0ABA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:22.337{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1A94B35CB06AE77480DB6B07C8A2F8,SHA256=BEB61A5F09C6C0D09290F400C5FD4A3DCF9B300D4E7946AFE9F60DACA3BB9A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:23.976{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E553D57BD618287E8B0270B47E96E73,SHA256=2AEC24857CEBAC6F3D1062003B6B7C8709707DD5701DD72E319EABB75B354EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:23.345{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3505E5353C26A79254229E6FB720498A,SHA256=1937E6732465B55F1E5444E0E28213E9B779802E9CE0D9B13D938B6C4EFCD3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:23.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=966EE9FD3C7D3274980ADED27D6E7E46,SHA256=4F5C2747AE1EDC9B3E9384254AD6940999AD576C43FFE3C3F3E2100A3DFAF4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:23.196{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE9240E58A0B5916CAF3680B3E758A5F,SHA256=9AF2546116BDAA80E8D757A53B5CA7E05C9302596E39B99338CC59A8AF668FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:23.072{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:23.220{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E236B33BE1890821A06E34E10BE307B3,SHA256=0F5CCE5530675C3285CA0BA72ECFAAEB07294509475481325C73E8E9603B1CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:23.220{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CA86C571914AD8E49FAC58FA137EFFB,SHA256=6399336ACEC2820559E7286753C12D4349D04CFE58F4B698CDDC49E3A20F9375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:24.996{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9297E6DE167E1DE90D2AB901ABA970,SHA256=46940A31385232CE9E8AC2CB57F1EF6A51D8DA5A2C1E9952B8D5D42297D0309D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:21.839{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51678-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:24.345{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26BC1DCBF0F5F30A0A24083D8B7F07C,SHA256=AE5A3894FC6FB0150D8F30FD0F1410D1A427B4744C175056CD84643DE1B55992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:24.398{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=966EE9FD3C7D3274980ADED27D6E7E46,SHA256=4F5C2747AE1EDC9B3E9384254AD6940999AD576C43FFE3C3F3E2100A3DFAF4F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:22.431{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65245-false10.0.1.12-8000- 23542300x8000000000000000555123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:25.360{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31236E7FB49DE4D07DDB052C86273326,SHA256=D90B0F6533B4BA35392E814E07344C629DB97DE8AA1EC9C6B83788EF0CEA2028,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:23.621{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65247-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:23.621{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65247-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:23.296{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65246-false10.0.1.12-8089- 10341000x8000000000000000555137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6ADE-609D-824E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6ADE-609D-824E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.829{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6ADE-609D-824E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.830{E1BD9FC2-6ADE-609D-824E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:26.392{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D0E11FE5F0BE0844C3EE0170F485CE,SHA256=8090949BF006ED86E9A5B95FC17FFCEE089BAF1B44B9B4D16E1006D5453FB839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:26.016{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B79FF3E589384DEEE40DD3D95A1774,SHA256=063A30300372345C9608C692309C7BD9145FCACC8959AECA880F1601FB102DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.860{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E236B33BE1890821A06E34E10BE307B3,SHA256=0F5CCE5530675C3285CA0BA72ECFAAEB07294509475481325C73E8E9603B1CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.720{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6ADF-609D-834E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6ADF-609D-834E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6ADF-609D-834E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.501{E1BD9FC2-6ADF-609D-834E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFA342FA2D11CAF3CCFDAF5E88960E0,SHA256=F6BC6417D955CB08D66E879C162C0A2FBE049FE0CAEADEA57A638925A0980534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:27.031{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999EB72E0EA73AFE3DBCCCA065FFA107,SHA256=6974E1C8448BB91FE671E34753C53BBAA6636A7B4EEFD5D3B23D09FD9DD6B7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.501{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE02B5F4B69B78CBE3EC6B43513E9EF2,SHA256=B15F4FB62557A45C04692173B7A4F5283A8DFD59623A2B4354E5EB5ADA63204A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:28.040{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E211EB0013E66325EBC5B1B5C1BAB790,SHA256=6A51F2049A8142DE0546E3820DB50B4A4AC34EDB3588852449B1299F538CB429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.298{E1BD9FC2-6AE0-609D-844E-00000000BB01}39361264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AE0-609D-844E-00000000BB01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6AE0-609D-844E-00000000BB01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AE0-609D-844E-00000000BB01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:28.173{E1BD9FC2-6AE0-609D-844E-00000000BB01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000555171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.346{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51679-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000555170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:29.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFD50A1B73E74C487FA5BF5CBA2395F,SHA256=6B94CA37E095DD532E17C368569E63E5C34BEE43A1F25738040A4399CE8D7BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:28.423{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65248-false10.0.1.12-8000- 23542300x8000000000000000653483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:29.192{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D18CC2EC171078756B61D0A9006F78A,SHA256=68A6E6916D0F67CDAE62DC6A33A76DE2F931408C2C89A59F02CFCFDE9B8E5CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:29.057{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58BCDDC3F814CF104FD427D87B3A4B9,SHA256=D0E9AD63432EAAE3FAB21AF8A9F50F8CA80FCD4D243C97B0398032BBBEE0C5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:29.110{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A8A46A03824CA83FFD7E1D10F83C549,SHA256=BAC4746ED53F29B9B75C31236C13B5C40E47108015008D4681AC450C4EA5EC37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:27.706{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51680-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:30.595{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F80D66503F174C7D92ADF5826685113,SHA256=5724B507DDC8282B8817916957146441EF67CF8FDAC1732E70D21E0C4C419F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:30.068{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD44682BB082438807D44EAC0CF1AA3,SHA256=FE76829819EEB8721E851081D74EDC70EA8C53031804E9A7B0D98BABFE66C26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:31.610{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB4C54A5DDDFFC83902701E9759C782,SHA256=3C229FCF4B100494E4C4FB5D1CDED6C1F953BB782FBE4496DB0569326CA1AA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:31.076{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AC0EAC476BDBC1908816A7E8993A56,SHA256=B53F389E1BD98478FD899FF081B14F24759FE36F2018ED3D41D9BA2E2B872286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:32.626{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4D7049A7812C346E78C2CF65CA54A4,SHA256=274995096338CBDC9E9ACAC7B56FBD4E2F2F2E0C048A168A0374BC05E966E536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:32.216{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDE589D43A837216387AAFE0461788A,SHA256=2766C692A0F9083B8E002627BCE73204F98DDCB5EE7769CF1166A4A8E5FEBA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:33.642{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D156C0DBF8CCE788D59484159CA2240B,SHA256=77F6B51EF3C1F80A3D4055846A7D96FE5FFD253628CC7CD895B703AD875DC394,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:33.958{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:33.230{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B9506269DB5E3D12AA19FA919A2AB6,SHA256=06D1E9ABA1E833CF21D00DBF1DA2E2274D92BF7398E065CE5617AD2038B84F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:34.642{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635BF3E75F6FB12E125A3392E2934D3F,SHA256=4C4A929DB0EEDD810F86284A2575D8158EAF0F4175E55AF2589A6FEC392B9BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:34.244{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9515FE89BB42F7C88BFBF0E4F79FE1B9,SHA256=597853AEEB00595E64586F7EBE549A0BA447C973076435DB1EDCD27B4B4B8DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:34.243{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A55FEA89F9E446B50B3B424936DF339E,SHA256=2FD0C51E59A83D17FE5C24261538CF9E7A4357780D3998754C41EB0AAD26C75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:34.242{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0987DC77F61B8BDBBE3C9CC47CCE5581,SHA256=A5C96A6A5874B6EE2BFF46EF47E7810DEA56BE7F1D17B4C3CAEABF802EA83C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:34.298{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EECD057293501FA2B5CFAA446016AA5D,SHA256=2C3C23876B32B1632E35421085A7B890A8E4FA55BDA6328CCDFBC362F9B0E672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:34.298{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=748750C16F23484B2322ABA88EE6C302,SHA256=D2621F2ACBF1283F1D611DAE7AB4116654C5126E1FD693C0A4B35E4C042CB6A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AE7-609D-854E-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6AE7-609D-854E-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.923{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AE7-609D-854E-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.924{E1BD9FC2-6AE7-609D-854E-00000000BB01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:35.657{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E17CF7F23029E401C15CEF460D18B84,SHA256=FD2A67E04D5B4B9579262B790AE6BB926EC476E3B2D3B6FFEDD4EE3FFB57E6F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:33.470{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65249-false10.0.1.12-8000- 23542300x8000000000000000653493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:35.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D990707742BB9AFA2C7FFBE8DC8E6608,SHA256=B4AC6BFA72436291A1A9D9140C5C73AABB933919549CE1559BB308A890601B73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:32.877{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51681-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000555209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.720{E1BD9FC2-6AE8-609D-864E-00000000BB01}15604040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:36.286{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEFB02586F0E2EFFE29EA6672002718,SHA256=CFC162D6F22BC5443657E5C06F61B927C21739D8DBBEDEE6F45AEDE86054C45B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AE8-609D-864E-00000000BB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6AE8-609D-864E-00000000BB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AE8-609D-864E-00000000BB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.595{E1BD9FC2-6AE8-609D-864E-00000000BB01}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000555195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:36.063{E1BD9FC2-6AE7-609D-854E-00000000BB01}17882996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AE9-609D-884E-00000000BB01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6AE9-609D-884E-00000000BB01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.938{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AE9-609D-884E-00000000BB01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.939{E1BD9FC2-6AE9-609D-884E-00000000BB01}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.720{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEF8DD732C91B2D689A6ABB3F8E55EB,SHA256=BA702E5EF678B5DE211EC0FE425C958E4B97DB492A91C213B1608BD0D7429C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:37.295{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB85D72EE9F28E565F3C14141CA72307,SHA256=2F56DDB94B34C51265EBAFAE56305E4F6487436A1D205B3E550A478345ECC4AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6AE9-609D-874E-00000000BB01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6AE9-609D-874E-00000000BB01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6AE9-609D-874E-00000000BB01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.267{E1BD9FC2-6AE9-609D-874E-00000000BB01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.079{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909A3E990182BF426D759B4868F9C4D5,SHA256=46A0632D13ADA0C71E9F1BC80652631EF852A1138C865D5454C8146C7AE02A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:37.079{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EECD057293501FA2B5CFAA446016AA5D,SHA256=2C3C23876B32B1632E35421085A7B890A8E4FA55BDA6328CCDFBC362F9B0E672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:38.767{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706815D29231834C52CC0A9F5880DC92,SHA256=DBDF81D35649C004644B367102BAED316D3FD58760C218B50D4779B311CACD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:38.305{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164A028B6300E97CB39757E8EACCD385,SHA256=77807E744319105F22C451CD8DB53CD91DD507E2E083A0796CE07E2E3A8C6946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:38.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B00F4ABB299D4CA3995C04949608ABA,SHA256=6A9DC8A63544033DA0B3A4570649F08F9A5E8774CCFC1D321CC015A89CD6E0C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:38.063{E1BD9FC2-6AE9-609D-884E-00000000BB01}8483844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:39.782{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CC73D50A96183B86FFA45CCFB693BE,SHA256=8130506655EEC996FBE5B7E23B8817879A3DBAA26ACFD8DBB4B8383CEBC265FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:39.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D50AE1111D33C196E2C330825AB5B3,SHA256=F5C843CF088E7C3712328F475E6F27A9DF58B0335444A70A7183B84B2C19E611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:39.068{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A55FEA89F9E446B50B3B424936DF339E,SHA256=2FD0C51E59A83D17FE5C24261538CF9E7A4357780D3998754C41EB0AAD26C75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:40.876{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEBB24B5CCB503CD6789393B5144424,SHA256=17E9A6B111A7C860EB2B89796A9A01F0E9BC6019BC1B67DBB7418803D5D682AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:39.390{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65250-false10.0.1.12-8000- 23542300x8000000000000000653501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:40.323{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE3D19CEE88F63114A33CEAA2499004,SHA256=2353722BE4B4037436EAEBEAB032227C1894B092B361B3A1E3FBECCFC0DEF67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:40.110{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25367257407811612FE1BB72AFB6407F,SHA256=F29A7265839B5B7C81556B8F2D996A2166A6810265B9E9C3BD1DB6A5B9F55E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:40.212{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=655ABDCDF34F09EDA3207E41AFE33712,SHA256=44C2894F1F4170E645735F46BAB9FE02D13F074E466AC53C2A637752FE03BFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:41.938{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF819386931F7E63EE3570C5B3C7EAA,SHA256=B8271F4B278C21BF6D789F71F14733F23704BEA1B4A75CAD0EC6C09A9EA5BB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:41.489{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F084EE2A23697B86B3EFA08CD5677678,SHA256=531DA9B06C63387ACBA31D001A2BAB76807958D18CA896EFC317B8A3389830CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:41.342{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AECC44B439B77F178CDEA0395134E12,SHA256=6959A455FE19EA8DC211D2C013AC87B8D8C14AB0A2B4145335290EEA0EEC7098,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:38.721{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51682-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:42.970{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85859E4F032DA488C158BDB5CF6D3FDB,SHA256=A88B7D3201D934B45912615E6352215E1152B9F70426EF1A8DDB9D9F4F0C1E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:42.354{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF867BF9FEC5C974C503A93E8FEC7ADB,SHA256=99054EBCF3B011EE234544299B7FF6BF887BCCF70BD9C0443D11CF5B753C9653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:43.987{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E54ED2AFF36C567D312DF8DBAE5598,SHA256=9E70198F2F3A37E4983E3556091E5D3E3D30EE8CF42DB26098BFA5B66522168C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:40.713{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local58073- 23542300x8000000000000000653506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:43.373{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5126018C20AE3EEFCE53CB44DDCC06D1,SHA256=749DF3C5E35CD0DA03A0ACD75089BDE7A9F09E6D7BE77F8F314D3C089985FE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:44.398{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53E5E8D30A5F8E5BE5557A14A12F723,SHA256=C6AAC4C67F6017FA679FCA5D51F44A1712BDDF44598EB242EAFD3D22475B4B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:44.065{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9516DF17921B276A5E01C494B3B789B,SHA256=A833B0AA1AECF680195E2B68FF00A7ABF78AD7A05377E126E5B9FE9672535CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:45.402{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37277F6FE4109254A188B121F3D3FE3D,SHA256=38E1E378BFDABCB318FA798821B0743CFDFAFCC728326C833201278C20FC1267,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:43.739{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51683-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:45.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE1889625BE38417664782E2C3081C54,SHA256=100E4039B85AEF0BBAFDB686621F17606E0BB03D28F28952A2D70E64A5B5D072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:45.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044657EC633686D913BE5FC00D7A74AD,SHA256=F232712F4CA249F24D6B95BB7332FC5CB1E1D77973A3C1692D3B0B2C499F92BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:45.003{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE60D00CBBF24DECF7CE9AF8FDC8DE3,SHA256=F925EA606A807D28A9CF37235FC04D9E698A5FCCF992A6621D4DE55459242826,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.997{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.997{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.997{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.997{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.997{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6AF2-609D-7353-00000000BA01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.996{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AF2-609D-7353-00000000BA01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.996{7B03F3B2-6AF2-609D-7353-00000000BA01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000653521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:45.314{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65251-false10.0.1.12-8000- 23542300x8000000000000000653520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.414{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F8C54C4A323D249B35CDEF5B8B242B,SHA256=6A0F2F77C7654661491CD24FB0D9A19B8F4DC361784F746A11A07849E149EEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:46.003{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B15D039BB90C5FFC37C855C2BB9C81,SHA256=CCA89A965491300FEEAAF0D8F7F8125642F57E711E90B134C9891C95F5592F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.327{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AF2-609D-7253-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.320{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6AF2-609D-7253-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.319{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AF2-609D-7253-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.317{7B03F3B2-6AF2-609D-7253-00000000BA01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:46.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDA43E740CBC148EBC65F44772DC39E2,SHA256=55ED4B5438482B9E69FA6A91EC610C1BF7193363BF11F55DAC3BCA0D35642A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.566{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AF3-609D-7453-00000000BA01}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.563{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6AF3-609D-7453-00000000BA01}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.563{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AF3-609D-7453-00000000BA01}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.563{7B03F3B2-6AF3-609D-7453-00000000BA01}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D485EFF2E2097A495F8033E6624189A3,SHA256=3992CDA0E187E016CA275D508C407D85DE9C45175B743FC093EA301BEC045DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:47.034{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0758D61EABAA411BB02178C8F298A749,SHA256=E47BAB1A781AFB49D5CA4A503BD7EDB1391D52A014EBCDC62C1B946F4A535D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.328{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D38B966224EF57590532674505BEB56,SHA256=BA26D553047CB52E9CE0AC9C9E81FFDFAFB612B8E775778614B1CD792661C7F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.172{7B03F3B2-6AF2-609D-7353-00000000BA01}59245704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:47.000{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AF2-609D-7353-00000000BA01}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.707{7B03F3B2-6AF4-609D-7553-00000000BA01}40406704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86108B7C32022E1E697C2FCB5BD810D,SHA256=CF1575D789B749659145A5F0C354DE1D95E54103C28FB52ED64EE03A501F243C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.497{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AF4-609D-7553-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.492{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.494{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6AF4-609D-7553-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.492{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AF4-609D-7553-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.492{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.492{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.492{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.492{7B03F3B2-6AF4-609D-7553-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:48.450{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458CB17DDD02A55BA8D057BF0826FD39,SHA256=BC5C7B8CD9C874E1EFA5B789290D1EB05961B4630BB153ED35F1DE7FB02B177C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:48.034{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200553DC4062F1EBF4CEC94924AC9F4D,SHA256=B6F786289F6E5E9A21DCD918C9F9BE5D31B55189168BC1E5F53554DDBE574483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5A78B4316C6FEB9968C475C8670CC1,SHA256=FF0BF26DB44699389E70DEFF53958931A559C33067696E6F835E78BA67393F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.475{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE8941922D41D10C4018B6C644D25D2,SHA256=3E3E35DE81AE8F13A50F72291652855F3627610639FFD3362CE0FB3E07FBFD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:49.034{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758248D9F865B4719575B6F71D8B4752,SHA256=7DECD0A918EE17BA33717512F49F49B9E8C06CFD4D7EA172DE9357AA1B8C1676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.312{7B03F3B2-6AF5-609D-7653-00000000BA01}59407324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.155{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AF5-609D-7653-00000000BA01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.154{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.154{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.154{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.154{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.151{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6AF5-609D-7653-00000000BA01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.151{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AF5-609D-7653-00000000BA01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:49.151{7B03F3B2-6AF5-609D-7653-00000000BA01}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:50.491{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FA5508C5257E5C18F92AE72689FB85,SHA256=15B8F326C600609F8F3AD505EC8ECB2FCC48BC5AD9F10095B1B6FEB082B5D4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:48.848{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51684-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:50.206{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE1889625BE38417664782E2C3081C54,SHA256=100E4039B85AEF0BBAFDB686621F17606E0BB03D28F28952A2D70E64A5B5D072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:50.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23093DD41C1C2D865EC1375B6222F666,SHA256=08563E29621E08CF4DAD9453A6881CE9464CFA83CEE655F70A94DC2F043F6CA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:50.374{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65252-false10.0.1.12-8000- 23542300x8000000000000000653574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.502{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F977452A6ACF27E0BBA82D03A300E8BF,SHA256=FC2B1FC189B579CA39CC207193719058F92F5B29A07BF52005B7375094D9F8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:51.065{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4BF9D8305A233B8B128CCA9D0E70FC,SHA256=BDE5E7B0A58289C9D651EFD228F0D063631E2BBEAA05CC7A3A0397B8BD2408F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.383{7B03F3B2-6AF7-609D-7753-00000000BA01}73206272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.194{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AF7-609D-7753-00000000BA01}7320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.192{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.192{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.192{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.192{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.192{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6AF7-609D-7753-00000000BA01}7320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.191{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AF7-609D-7753-00000000BA01}7320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.191{7B03F3B2-6AF7-609D-7753-00000000BA01}7320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:51.147{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06017D87378B0ECFB4F1D32C84FCE189,SHA256=2F0E7F75A857E5127241A9BB42147F39802387B60E81EC9E001354E92481A054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.960{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6265247A300D8E5B7806E03C9703839D,SHA256=D9C42A5D8A549B91286D48B9DBFB75DA6498E8D2BBD0FD645DCA1A5CBF2E47DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.513{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6708F20716D345DCEC3AD336F2D99B,SHA256=B5ACFDB965E5FB6D4C7EC9A7B81163441FD8FC70A1BEFE5991C54DAEEA3C99E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:52.081{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA257999163D531C338A6DEB2DBE96B,SHA256=3A2F30590BC93855C3208F7B8F71BA06C4D520C7D1D85664DDF269BD396855B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43B47ED7490747222C5F1B045568539F,SHA256=C8599D6C423BE7420DE6742269281C47AF5B315265C6B0A60162AFED94474396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.032{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6AF8-609D-7853-00000000BA01}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.030{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.030{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.030{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.030{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.029{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6AF8-609D-7853-00000000BA01}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.029{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6AF8-609D-7853-00000000BA01}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:52.029{7B03F3B2-6AF8-609D-7853-00000000BA01}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:53.535{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA42D0B1E63A7B6CC220FA0112A7F621,SHA256=6C5EE8A1EF882D5F7799FB9817F277062D1A1E211F9FAC9CA044A0A266B3B08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:53.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B838502D7ACD746DF764D18ABC0F0FFE,SHA256=D0FA09BA4E62A4D1908FD9F8DE6D2E82987CCF41269149A6BC10294D60BD44AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:54.542{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E276BC0618A8875772F18F61BF2C47B0,SHA256=7C19872C68C69CF0DCEA9B47570001E027D8A37D68370027DEDF4DA8812B6142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:54.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2543AB8B3CEB276CF0473217043EEE3,SHA256=7AA85CB6AF73671BE621674705E65A8BF63381D1270978E667567ABF26A39E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:55.559{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF14A5D7F4308E47DB10DEF67F7CD38,SHA256=D585B367F76DCB1B38FCB209AABCF063895651EF4C569AC8D25CD386825A36C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:55.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC713C43D0CFDDF24D84FDBA4F6103F,SHA256=22704D08C1D6FEB3AD98CDA94FB65E3AC683425734129852F30266050DFEDEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:56.565{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9954CD77764AFA313D6438C20B33C2B0,SHA256=5C825A07FC0CFF0636312A1B90ADCB1C76ED10E268FF4D225FCB5ACFBC787927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:56.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CA1C8539392A28F525873A86E53E715,SHA256=7E5F8410D1B287A596F866A168BBAF7BCC5B6EE95CC69833E4D927D9E3FE83C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:56.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF854004A42A7A735D84DD96B6B2C9FB,SHA256=A0D6AFB9A29956BFB7C6084CECF7EA1D1893F0BBCDB61F9B0CCABE70A787ED27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:56.144{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316CD416802521FE492B2CEC4814E43F,SHA256=61F58E8928E30E1EB59B3FB9FF57185E67908A4B4173834628E1333E1841D87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:57.582{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA75366729B8269040720DA183FB704F,SHA256=0AE14953F2360EF5E6881206E1B385F736999CCC641B6F121A0B6D56C628A6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:57.159{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E0D2CEE2018A926384E133A60F5AD1,SHA256=315463DC859E3F68AB1008B9F89D1F3E7C8B23C98A83EFCE7092E93AA96ED895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:57.057{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EB4541AD347783B590C7D6B3308BBB7,SHA256=BAF333190471E6BCE9BBFD2843EE1D398B0A224760AF3BD821FFC3CA130C3103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:54.801{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51685-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000653594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:56.278{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65253-false10.0.1.12-8000- 23542300x8000000000000000653593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:58.597{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADB96884CDD2CF9C21418F8364E2A2B,SHA256=0AA6111ACF758EB6068B81974779C8238620A97C5D71A5DFB8B8C452C6D013D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:58.190{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4239C47728681B9B9EB7BE2A792B8DA7,SHA256=CCB2993A582516E20D6C13D0FE1623E81AA6EB57119CB27982A8CF48F40FD8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:59.630{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026F28C8F41F0A3AADE8FB46316B43FE,SHA256=79CF1D8FC5F07AEF40D30D5486D226308AC66BDCE93428BFA72DC69CEF4F5ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:07:59.206{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF580AEDAFA68EAADB51007EC52541C1,SHA256=513596AD78DCB7D5C95C9813478C2B86BBE9D1BA99015E93F4A2268865984340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:07:59.080{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=492298EF1F61278FFF82B97ED8776D58,SHA256=562C616D6EF7F868A795EB38C9DCEC1DD2C7A9BBFE0715CB5D9BB0899CBC25F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:00.643{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1398F117500414602A21A5B6EE01F1ED,SHA256=D4895AA2B9DCF1E8D462809625B98D68547281DCA277B7EEB62489F912E34217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:00.269{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1FCB3B1B0DDD12A72367D6E6AB839A,SHA256=C2CC0B6F00DFD99582FEB9D34C399EDF87DDF41061D83BDA853D549D7163EC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:01.662{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FD1126A8ADD33354EE8512E65370E9,SHA256=7A75C778E71E08DC29A27A4BB47E523EBD63CF54737292F215944DF931A3123F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:01.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7221BD7E58DEE9B42EEFF9571FAFBCB2,SHA256=3EE32C9D4A2E85161D0CEC400355F0F8F0EF63752AA103E9FC2A437D8F31E14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:02.782{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8D1DB2A9AC6FCF69BAD01BA6D31C7A,SHA256=BB8EA579DB165707CE93D4E00B2D9BBEB4973683FD8CFF6CB4096944A2610C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:02.331{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DD46301D37F36A4B6E52EAF32AF628,SHA256=BDCE522A165E07C1EF7EF471D72ACE68364A163B8DC57F8AEF62AD685100C796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:02.331{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CA1C8539392A28F525873A86E53E715,SHA256=7E5F8410D1B287A596F866A168BBAF7BCC5B6EE95CC69833E4D927D9E3FE83C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:02.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A78EEBB8E7D97CFDB2A52B7F5638985,SHA256=B8BC2068A64036F5A72B51BEE3FA019E99F217BF2CB79130AC587A0F63070A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:02.342{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED1B0D1DC28B3E198CD4E77BC6E5A501,SHA256=01050ACA9BF1C94B51FC4FCC61F2D3BD5ACCB4469D68A1B36E6CDB14295547AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:03.800{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0A57557221F18248418EA77A8ECE0B,SHA256=DD5CFA634A5E1DEEC3592546417F0924CA91858BE41C700724F2AE3CB4546026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:03.316{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E1CDE639D3B58CDD468251D9403A96,SHA256=F893A71F0735CBD743F2C9AD5E62E88DDF7C13499416384134EE8AF6E7226DD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:01.485{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65254-false10.0.1.12-8000- 354300x8000000000000000555277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:00.817{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51686-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:04.814{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A3C30255DFB75A33DE73F067FFF0B1,SHA256=6A74FDC3AADFA22273314D28F5B8815565BB63548661553FCA58422152C570B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:04.364{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299448B90150AA9DD7AFDAF9C4D0AB49,SHA256=AA6322C3BB348830FEB4E17F89A65625489BAF8D186F0F96711B03ECD011FBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:04.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C83B99B4082A4A2CA011A7CB8CC38F3,SHA256=0545D29877BDF54E3B86DD52D3355ACB01A384C52A418F7E3AA63DCC03BFA5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:05.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C492EEC95C443E307CB4825325DCB7BE,SHA256=71276141AC1919DF21D53F27A5DBBCC48497FA50F411F993944D1615FE301E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:05.367{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D03E1980F651454B69CFFE13ADF196C,SHA256=738C7D8658945BD0F93EBFA5DCBEA6D89008E6F38CBD51C1D673A815D2D12C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:06.870{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E7EC37689EB88B5E34EE02656281D2,SHA256=7E86E48C59CB475261026536B0B6EE640218B7B01E3B5FF9FC9EF6C6014DB794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:06.382{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC5EE49D0D1E66202C5C42842000407,SHA256=E8398777970B5F7B91A4283116822716E82AD9A7CD82E33DAEE6D1B156D2C794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:07.873{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A40358B12FF5818A28DEA5099BDDF0,SHA256=D8EF945AFB187D8E1F9526ECA59E84E7F6E5B6256E538C49E0D845D65DF8958A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:07.414{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7D452C5C5421BB71388D35113396C6,SHA256=E018BA34E3962709D1CFB2CCE38E54FAFB22520D0623257126EE287703E46F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:07.273{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DD46301D37F36A4B6E52EAF32AF628,SHA256=BDCE522A165E07C1EF7EF471D72ACE68364A163B8DC57F8AEF62AD685100C796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:08.885{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E66628CDAA2DAD80451605C8B87EE23,SHA256=BC1CF1D9D9FB4CDFAD8F295ABA181716BB447F1297C590CCE3EB913031C5647B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:08.804{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6285429BDFDDB54A22118B1D769BD0E7,SHA256=753550C5B5584C0473B88CC5C96A3A454FB4CEFDAE080903A0F75BDC157D3BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:08.445{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7AFCCC8B1D51591E03ADEAC613E834,SHA256=4D026813254CC2D255BE5654BBCFDAEB3E87EEF5CE843E60DE42288FF189C6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:08.156{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36673ECAC0DFA2B77681EEE362F50A97,SHA256=36819E80CE880005164C570B49865142195D91830DDAF3DE07AE1F27B380DBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:05.884{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51687-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:09.903{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EE4FAD60E15B6D24ADEBE5D2BF6667,SHA256=C4A6A6074F6985FF46B513B98A0D32DA83771597D9958C886A621D097F7DF03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:09.460{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D57E6B77231B55242173F061EE27AF,SHA256=365A6B4DB4DAEFAAB0696FBF88C6FC03F5179689335B9C8D0C41CF4B085A8792,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:07.348{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65255-false10.0.1.12-8000- 23542300x8000000000000000653612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:10.914{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3F2ABA2118F4EBE0600278D39FF1AB,SHA256=B123D7F31A6831B984F5D55E6E3F30AA8877BA2F9D8D9ACAFC524B6A85AEDCE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:10.460{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81094B97B2F05B38529070AD5326C2A9,SHA256=7107921371C4C9A65CCDC7E1B310923C0D1D8DD0076FC4925FCBCB5E2EBE7E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:11.916{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC63E95A51E912513068D9774D7AFB02,SHA256=2ABB53794FBD648D31E399CE4860B59732B71C65AA981A5AABEB31E1518D06FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:11.492{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A8DAD33385BD3E842ED953BAE398B5,SHA256=8868D180D027F06ECA87A0AD3FCF60FD6D923B5CABC7BB7DD6C3BE651C3EC509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:12.924{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB43F2707936CD84543FB9B04D94C7F,SHA256=011FA8221A32C5F25BA97E820E0929C8BE574719E4B6DC30979D33C1C50EF8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:12.585{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794FF76F0AD44C78810755D896383C73,SHA256=4BE353261E07E9FF0895B019EBD727536CC44AEFF62F259DF0659839E953722F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:13.932{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0FE6D0CCA140D7C9AC1D744614B88B,SHA256=4CCE5421E2B4DF64EBC4149D9BD21466E6DFF6FF19F5940D19BDC8572F9C868A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:13.664{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042C1A4CDE55A81AD2EA85F78F2630BB,SHA256=1FBA67BA5E1CB22D371B3F02FCA439F78033E75F4C92EF9A09DE7BD1209DC68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:13.164{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83E2D7A0C7F3D3859E11C6B2684449A5,SHA256=2C580B1594871FF9F61EF61B41DA719594BF092498889F69A3CDD032CC3CF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:13.164{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31CBB1B594A363EDF04637A9BEC31B1D,SHA256=9379AAF3D2F49E4628746657F1B5EB9C79418DB8AC30089E9487F5E70E3C106E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:14.945{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D101B94DA80CFB08251AC414ECC738,SHA256=90E3D797858C1C4A2FD0BEBE72022EDC75EB9BD1208144B467E65E9D9FB40BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:14.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154664EB95EAE26C624EF7F18C0A12C9,SHA256=B1DB540144A3516216EF6330A1BC1A825CDF792EEB474CFFD1D8F8141E413B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:14.154{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BA587E072A9C5ABD22B92974FAEA054,SHA256=41B99E7C2FDDA874BA336CD8FD0A4BEA4FA68ED06E8ED4BD7D1F4878C9AFFFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:14.150{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=912CA1899A848D435AA871079E60337F,SHA256=7E800A17344F16301E5FAD393DA5931AE3DE8CC36F7CF6A3C3C56B826EAC268B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:11.774{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51688-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:15.958{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B26A457F6BDA13ABBC5622E4FC7EB6,SHA256=E8D718FBF8A4F465E7898644A19E8830E5134161175D87CBC93691FB49D483C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:15.695{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B723A4E1A7C36774DF4B58D91C7873B6,SHA256=F7F447724EC22D0F12B9F55A21D9B31834627E67E055D269EEFAF6CA9056D3FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:13.381{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65256-false10.0.1.12-8000- 23542300x8000000000000000653622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:16.992{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BA587E072A9C5ABD22B92974FAEA054,SHA256=41B99E7C2FDDA874BA336CD8FD0A4BEA4FA68ED06E8ED4BD7D1F4878C9AFFFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:16.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48065089F4B2E36CF7DC22F45F5FEC8,SHA256=81B9784C92F0EF225C1D97023B661396E39B4B2243DDD9299C4CC9790AE5D166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:16.695{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8BC1EC0772F195BDFB576CB8D2396A,SHA256=ABEC9B5B557E8976F1A731F59793173C575350583CD11374094E1CB0BFE78E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:17.988{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F131A0C49A9BD6E5D4FA4953CE8092,SHA256=731642B10AE0D66BDBAB4702BF620FF9008F32E22BD7AEAB26927885E01564B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:17.726{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531E68287E990B5560A289CC86F34BD2,SHA256=1334B5290BB10897CFAE609BD2456AC142BEA6AABACDE7DFFE85621BCAA74458,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:16.198{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53284- 23542300x8000000000000000555299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:18.742{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586651CBD20024236DFF5A37D0D272DA,SHA256=B8D08DDE8CC8DC07A41AB1D81F6FE672F3389FB50616C945CA1AC7913D2F12EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:19.773{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63599E0F0BFC33D2CD2C5A6F3992F4F7,SHA256=D51E76291E122C6D848E349A48EACF15FB2ECC5281B01164337B5CC140A39CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:19.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADAFFF55F1CC401A6DB8FD6A01257386,SHA256=559586FC7250FAE9702155CEE781AAFCD467942A0D2ACB575C40C044A485EB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:19.004{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F568128AB2D60A299840D100477DE4CA,SHA256=3D0E6817D4DE11064D2EC5B4EB54BC700E9E230F6172BA420839115A046FB1D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:17.743{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51689-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:19.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA6D698AEB0E3B834DF051BB6559D02,SHA256=57BB1E581BC6A6E03C44FED986E42448725ECAEAF76A2E629A8500A0B867E9FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:19.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83E2D7A0C7F3D3859E11C6B2684449A5,SHA256=2C580B1594871FF9F61EF61B41DA719594BF092498889F69A3CDD032CC3CF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:20.820{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C8B7C22FB67EE49A321427DFC39660,SHA256=1EE078A1BB5834FEB23561D82E4F51898493ACF0CDC143CCB30E89C569F42D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:18.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65257-false10.0.1.12-8000- 23542300x8000000000000000653627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:20.014{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71C7EA21F4E96B94A74FC27D8997A5B,SHA256=CADC47FDDB68D3550E2E9CFD5C99180A2E55AB328FD43BC63B7E7B019837AC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:21.820{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD35565823ED7B98547D3D28C2107C8,SHA256=BBAA1CCE7587C528A2D09D8FDFA138E71994D82FF4D5E13AD2AEFA239089A9DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:21.056{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499F3CC9E974412C170D01F52447D9C5,SHA256=0A058A0AC2157A627760EE9C7387D31BFAC3730A4265F2B17DA62575B0D5566B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:22.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73603A5EA62B81AB97CA1572AFDC5AB1,SHA256=F46BEEF7578DF44526B051748B9591E461F3BD29FDF1FA167479EB3D4052193E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:22.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51151253E5884D2CA096177244895F2E,SHA256=596AB656D383927224F7B87EF8844ACFD7A6F8752C4351B384824AD64B43FEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:23.873{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44CF371929C89F7C575015AC9110E54,SHA256=31EE42AFD7A86071B2914221D97A0D215921BF2B0BE16C72E26712908097F00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:23.099{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:23.070{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46E02CDF5445D032F2ED12B4E7E6DC9,SHA256=1FB1E001E03630D73C32FD1EFDCDC8970C105D5CBE7BFB986D9CC9E041BCDCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:24.889{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A60DA0B7ED7B67F4B8174EEB6BA82AD,SHA256=D11147F42D8113336C8F88225DA5F66C37C55DD71B8829D763713FDBB9D6D844,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:23.315{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65258-false10.0.1.12-8089- 23542300x8000000000000000653635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:24.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BBCA8F651AF7B0E01B7047B17AF82F,SHA256=5476D73A0E223D7A497ABEC321864491054DA461A0488049E66AAC26E226BC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:24.081{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63E3E53B61C1407C2DE1D60D66F0F59D,SHA256=0E8C8B19D5A16CD21744F51BF456A2504D70E3CC823FF2C9A9A18B59ADB8F53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:24.077{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081D11436DD674D9D29E6EFE9977CA0E,SHA256=752C2FCE5D8507A39FF6A94C403BBBDA0B76AFBE277E9D4A8FF3B2C70F00724A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:25.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612F780C249E9EE7CDFF4D048D7C18DD,SHA256=838AE80186E27CB63766FE5F68B5E02E53FB7B39CAD35722463D45F8059C194A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:24.297{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65260-false10.0.1.12-8000- 354300x8000000000000000653639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:23.632{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65259-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:23.632{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65259-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000653637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:25.105{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5D6D9C4E4F79C7F4CFB3C934531587,SHA256=64F2668E5F83E9096FF1D7E819D02044A91A7E16343E8675ECE66DB6C9477E1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:23.734{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51690-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:25.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29DF66CBEF14C09F270C9B7660D1EDEB,SHA256=F20E55AF8D810B1D7277AC12AC4789CB72B41545416BB099FBFE52FDBC9DD7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:25.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA6D698AEB0E3B834DF051BB6559D02,SHA256=57BB1E581BC6A6E03C44FED986E42448725ECAEAF76A2E629A8500A0B867E9FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.920{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA95D2F3285E8927ED95D5230603630,SHA256=7E97141C30FB1F10A6675762DA481991AB530E2AB5CD679076EA96DC771F8A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:26.109{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2BCED6C6F5EC0827DA2B0D6D8D6C8F,SHA256=117C3EA7E26E7B26F59E74E4D157202A8BDB55E9867EF0C355E0F42615F8BD21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B1A-609D-894E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B1A-609D-894E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B1A-609D-894E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:26.827{E1BD9FC2-6B1A-609D-894E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.920{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDF7A4F3688C629D17A0F1D77867168,SHA256=ED49A8CD70F852B4F4F47BEA3FD2CEF9F182B56E6DA4437D59E3EDF030154432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.920{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29DF66CBEF14C09F270C9B7660D1EDEB,SHA256=F20E55AF8D810B1D7277AC12AC4789CB72B41545416BB099FBFE52FDBC9DD7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:27.112{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47391298DBC3EEC1B0C5EBA5591438C2,SHA256=EC26C578B00AE80ECA85AD154112EC5D1CAB89B234DD6E3A87E4B370F452F0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.545{E1BD9FC2-6B1B-609D-8A4E-00000000BB01}3716808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B1B-609D-8A4E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B1B-609D-8A4E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.420{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B1B-609D-8A4E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.422{E1BD9FC2-6B1B-609D-8A4E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.952{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF3F73F4C5BE786F736180DB97051FA,SHA256=65E6E8439DC1941921A08D31C545B83A714FFC0C189EDB04F26E74294C940955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:28.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3CF5B91E0CBAE0AC7EF01A3197D0D9,SHA256=16027A2C9AA69B6A9F20DAE31C635A15A5C328F470CE0A1F5BA6EA536EFA0BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B1C-609D-8B4E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B1C-609D-8B4E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.045{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B1C-609D-8B4E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.047{E1BD9FC2-6B1C-609D-8B4E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:29.952{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF705419E813EAFC999DA2D97663F05A,SHA256=4CE965C7AE1B9E0581C61ACBFD75EFDE0416CBD2E387E955395EF77751CFFFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:29.132{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA60C5639003B9924C50244B98CEFD10,SHA256=D7F8E64FD03EBD71A04BE278FF7B4269AFA262829EFE29907D0795B9C7C9EB0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:27.375{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51691-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000555358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:29.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57366441B34E14F24FF05C73D93F8090,SHA256=BEC2B95ED02B1AF77730E99FEA3DB11A52CC997F7040905F7C22420BCCC539CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:30.952{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E4AE715AFC6791208116733DA8740E,SHA256=6549B3CD05A4C5901DDB2ADFCCE2C914BBD17E7EB0FE376A7858B5B2EF0B8E3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:28.891{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51692-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:30.280{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61372C065D5D53BE9712AFCFCFB814ED,SHA256=DA16EDD1C2DC0053CB908054EC25C0215B10B2224A1917642B90C3F40CEF62E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:29.426{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65261-false10.0.1.12-8000- 23542300x8000000000000000653647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:30.210{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEEB7780E702E6761C8E70A3671357F,SHA256=E1ECBF8909586EC5D6676541879EE303F77FDD664CAE5ED7A8D9FB265DF46A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:30.209{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BBCA8F651AF7B0E01B7047B17AF82F,SHA256=5476D73A0E223D7A497ABEC321864491054DA461A0488049E66AAC26E226BC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:30.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCE63EDB6C74D990EF18BDD624F37A3,SHA256=D898351B9932BB3F7260A75A9698187C49E00AF6DF8C22FB1B9310B9EE5BBFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:31.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2065DF12A9309445E5143C41B79F31F9,SHA256=4432E2DC74120E40BA73BF62C0F1B1B535367C4D445889C39DDF9F801B6C1D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:31.169{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42ED82342D17FB370DF54B500E3E4F4E,SHA256=EA4F142B11E746D255CC562C221650683AC7939B76935A09C66A0BE894C53FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:32.983{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63C47AEB6CC8CACE2A22C23765609E2,SHA256=256B71F55AD15B24EF9E606C98A1BE60705B7BE39B417DFD1F676F906C267656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:32.181{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DC15512568DFED23BCECFE68A1F31E,SHA256=CE46A2982ED1870C9A91AD2A0C4FDF79F3BF2907DE54918E94C80F63408B0E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:33.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2EFE67F0B431F0F707B0BD7B2DD328,SHA256=A3F2BA3E67E456B3629AFB3B2CE9DCCD65754614A84326D2F3867634ED477C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:34.030{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AC6321495FFF8C4702FA4CC988493B,SHA256=90D73684C3B703C02B478EAC36334A8846E9CE946C447C13E2D822B69951DCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:34.208{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B03BB7B7699ABACE6C06C7C0030B7F,SHA256=5CA4059B6CE03241FD9ECD9A923D93BBCFB177BF21EEC3D79E584897C9351C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:35.226{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EF75947C7640B80A1280A5AB2ED9E3,SHA256=6ABE8F9940EB018B6620CCA5260DED115623325092568FE2833C6980D4CB9BC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B23-609D-8C4E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B23-609D-8C4E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.920{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B23-609D-8C4E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.921{E1BD9FC2-6B23-609D-8C4E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:35.045{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9CFF1AFE2D0E5A3F28B775F53C5D55,SHA256=CCCA6F39AE28094934410E68486A3567E342DA91530D4A9965CE63B4EB8D877B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:35.337{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65262-false10.0.1.12-8000- 23542300x8000000000000000653656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:36.230{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF98A7C43B34D53A70BE1E1B0D619BA,SHA256=1B771221C3795BA8034EE42C2E529579F8FF5F0D38F30846A8F25B28B9B0B338,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:34.719{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51693-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000555398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.717{E1BD9FC2-6B24-609D-8D4E-00000000BB01}21524052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B24-609D-8D4E-00000000BB01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6B24-609D-8D4E-00000000BB01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.592{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B24-609D-8D4E-00000000BB01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.593{E1BD9FC2-6B24-609D-8D4E-00000000BB01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.249{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88EAA78C24A69C8D4ACBFAF46796C4BA,SHA256=AE5DF0C467DA5316189D3DAE9DAB31B8AE5725FC45963D01CAD81D3AC54D32B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.249{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FC3FA18965CFF00F5689055B1CE85F8,SHA256=4DBFAF53AE071463425065D05A9F5DEB9C5026792491759EAEA5FD2A97332F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721EE3F4D789A8DCBE84A4CB7BC5E4D5,SHA256=2BD42C08D33EA4C68EBC51838A212D4CBFFC4D36D1C8A20E19D21083CF5B1817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:36.095{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A57DF270EAD6E0F9C88F84359F5CB2BE,SHA256=16467C7C5CE2090D3F8F36EEF05A5D229B08DBE428747500E4E146EC51E8111C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:36.094{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEEB7780E702E6761C8E70A3671357F,SHA256=E1ECBF8909586EC5D6676541879EE303F77FDD664CAE5ED7A8D9FB265DF46A42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:36.045{E1BD9FC2-6B23-609D-8C4E-00000000BB01}25203684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:37.241{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA2AC0DC30BC7EDA51C5E1B3BDD7B2B,SHA256=7DD0527D165A4A81834CC26729F04F673142F80CFAF6F004EC1ECDAC8C4DDF0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B25-609D-8F4E-00000000BB01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B25-609D-8F4E-00000000BB01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.936{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B25-609D-8F4E-00000000BB01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.937{E1BD9FC2-6B25-609D-8F4E-00000000BB01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.592{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88EAA78C24A69C8D4ACBFAF46796C4BA,SHA256=AE5DF0C467DA5316189D3DAE9DAB31B8AE5725FC45963D01CAD81D3AC54D32B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.389{E1BD9FC2-6B25-609D-8E4E-00000000BB01}36962528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B25-609D-8E4E-00000000BB01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B25-609D-8E4E-00000000BB01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.264{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B25-609D-8E4E-00000000BB01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.265{E1BD9FC2-6B25-609D-8E4E-00000000BB01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:37.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D85E250941E0BB185474AE06B994349,SHA256=288E734DFD0ABCCE480496DEDBFBDCC265799A4320C935867DA0C46C619B2D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3011B3DA7AD3BBD3B41186EB685309DA,SHA256=F9E78DB00947F8A8C1C7624CE840B37E7F72CF481F203EB02E44EABDA2B77277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F5AC4FE92AFCDF2F56E61298FA95C0,SHA256=A5E759B39D11B331C907DC4A64EF549CB2352F3B3A9B20749549181EDCF9DC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E035512C9C685686E8DD0861304A297,SHA256=63B242F9EB14897BF8D6BDE854D27D98EF33A70CE001BDC9A9B0E695D1B31FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:38.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C3E0A7AE181D9C37A14185EE7615DF,SHA256=91F122B58C3E22306F511A90896563ABFA2E960D202B11B724927F8FDB7B4F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.045{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.030{E1BD9FC2-6B26-609D-914E-00000000BB01}19642604C:\Windows\system32\conhost.exe{E1BD9FC2-6B26-609D-904E-00000000BB01}1344C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.030{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B26-609D-914E-00000000BB01}1964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6B26-609D-904E-00000000BB01}1344C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123780C:\Windows\system32\svchost.exe{E1BD9FC2-6B26-609D-904E-00000000BB01}1344C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:38.014{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:39.342{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D62CD71E6D22D2A68F8F09F3972E983,SHA256=7A49B6C177AEAC188CEDD753194AADDC5FA80FE4197A99500454D3CB544128C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:39.309{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE7D9C6B101D8AE3DD90485DDE6F352,SHA256=B34A780B316C0621E470ABCA124971D8E305767606BEE22E5201996B92D43DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:39.092{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C8D2723F6D7DB56EC65FDDDD5C8FDFB2,SHA256=E1CCF6231165FD05AEC8B64C3D50124E418D3CCB259823DCC0E8568DDA526FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:39.092{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=16A09ED0B559BE44010B81D48660FBDB,SHA256=357AEFF42523F50D642249DD138E2261A4BD250B85DD180C02ECCECD68C69CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:39.105{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A57DF270EAD6E0F9C88F84359F5CB2BE,SHA256=16467C7C5CE2090D3F8F36EEF05A5D229B08DBE428747500E4E146EC51E8111C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:40.372{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868065935E5A3436AC4156C430BD5995,SHA256=E66C3CF1EB776697AA8CECA3D2003CD8D37FBEE0E92B95A4B2586DB7C4B2D0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:40.374{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B04B8018AE8C5779FF06C281213E58,SHA256=F4453D6689F6D1D794AE4BF728DD1702542852C552DD27BDC653C9238C7CD403,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:40.440{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65263-false10.0.1.12-8000- 23542300x8000000000000000653664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:41.376{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1A80588C24A2FCCBDCB3DD6E19031E,SHA256=9F7C7C155F75DE6441F9A0BEA1E2E4EBFD653158840DE132770DCB8CD8054705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:41.389{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B617D1EE1165D69D7ECFAC97537C61F,SHA256=2735DFB5B0EAE6FC68B5F489580819FA2539240A06D080C41070274E23274A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:41.206{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B37D889791D7F5E770EF581141FAB41F,SHA256=A297FEE8927AA90EA59F6F8EB1BCB44AC81FA82504243A52BB1CE062D11BCEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:41.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76E605F54D089AC325074A6AB68ADD4F,SHA256=49B0E0DFDB5D4672D00A73FFDB2EE6997117E8DA80E595FD6D3339B1C291AA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:42.387{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEFBD9B3D4AB6CED57EC1A9D51647DF,SHA256=B78C7F59B034A74CDB19F4BC042EC669D6284597575C8F2A0EDFE995AC1D2B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:42.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7411DBE09BA164B81C0D0CFA9B684D8C,SHA256=960B9069ACED55A520EB936665DA3B27BF593EE128501B603A029EA82D09C54C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:39.812{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51694-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:43.427{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69771C10B6530A3CFB01716BB167137B,SHA256=B512D2642AE4A72E6B384E62F9A150482C09F9C395415AD68382FF80B0D1DB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:43.398{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2425C38C8E19636DA38A248B7D167D1,SHA256=91A599BF9863ADEF7146A546033DF11CCADB0C0E8863A2D211C0E9B30B4985F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:44.548{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa2b2834.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:44.425{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A44F014CA4D3D2ED5CA1EF5C9F8C2D,SHA256=061F095E51957AB5438805BCE1D340FB83B59DA6658312582EA356E95DB05D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:44.442{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925E225931C956DCAB21C6D91A6DB95F,SHA256=8853EA5ABDA57828AB1072603D8B70A0377A5C8A1B46F84F37348C8B8EC95814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:44.081{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B651AD795BE9D558E7BFE5FBBFBDF67,SHA256=F118F506276C476B08377F0946AD47D3C8DDF19C1919B349E9B03F421744E64E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:44.207{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local59545- 23542300x8000000000000000653671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:45.430{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB2E0EB4C1E24956FDE47441D249C18,SHA256=020C5B50EF681B35A6627759A4183077129FAE9591436C3DAA7124A0CC03E048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:45.458{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F52CFC9CD61E90977DC26B5C5B11A1,SHA256=906925027CBCBF173CF49A1C6FFC29557A97F548C89B125F7CB3E48D62D17F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:46.505{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF070E9F6A3B2FE4F8C095FA09E0BC3,SHA256=2E5CCDFCADC607BAAE91B5B54F1974251A4771E242F96622B68C1E5CA7BD0E44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.999{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B2E-609D-7A53-00000000BA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.996{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.996{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.996{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.996{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.996{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B2E-609D-7A53-00000000BA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.995{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B2E-609D-7A53-00000000BA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.995{7B03F3B2-6B2E-609D-7A53-00000000BA01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000653684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:45.498{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65264-false10.0.1.12-8000- 10341000x8000000000000000653683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.567{7B03F3B2-6B2E-609D-7953-00000000BA01}48527364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.495{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73677C580870FAEA12F90669BBEC2A10,SHA256=FAFBDD7C112DEDD0A828982B27D61F63C1115A03D88E3703CD8E8F0E0DD53D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.330{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15C9C5867293A870217563FE79547E7E,SHA256=C67086C4B99CA09EEE8CA5FA5E87E9CEE4FDFBBC73CAC5D3E6EDFC724A334930,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.325{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B2E-609D-7953-00000000BA01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.323{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B2E-609D-7953-00000000BA01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.322{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.322{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.322{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.322{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.321{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B2E-609D-7953-00000000BA01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:46.321{7B03F3B2-6B2E-609D-7953-00000000BA01}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:47.521{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EC2F64D22C62F03B697929DD051A03,SHA256=9C6B0D887BAFD10A8E6FA13F8910242559E1FB9574590D61A7D5E2E9DFF2214B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.573{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B2F-609D-7B53-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.570{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6B2F-609D-7B53-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.569{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B2F-609D-7B53-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.569{7B03F3B2-6B2F-609D-7B53-00000000BA01}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.512{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4699228898E199ADC75A8EA7527BCE,SHA256=07116358D0A5A90B1D5848D52422ADADD8BD1EC2CD7B611C7956FBD9B8EEAAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:47.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0CD174BB17CD74F48FFEFC678D8B91,SHA256=C169E159B76CD025AB698865103A0527F4AA400D41D9C8D571AC62189B36CB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:47.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E18F87AF4C41CB605320DFA1A24604B9,SHA256=CB50C1D682FFE080086A666E6723319C92F262A4432AA3B6B2689F3EAFF4B674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:47.339{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80D8071C7F12A61B962F652A25DDEC7D,SHA256=3221819BAB466820EF0F062B1593747115E829813202EFA1F4AB8D0680E9A9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:48.536{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBB988185FB6084E8F1DEC03650AEC8,SHA256=AFFCE834F28611F4E46F40D3A716290618DD1354CB213CEC801FB69A3B72904E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.676{7B03F3B2-6B30-609D-7C53-00000000BA01}32487020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.574{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9AA608FA547DA8FBAA06771BEA02A48,SHA256=D77E0CFA66B66F9C1FDC97783FA03ADD1DC2C07690BE499E8E28A387C3687ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.532{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CCC5BD47CE63EEFC979719817A9503,SHA256=844901C0EB661F08794510FB46C401BE1DC7A082F3DA719C159FDB384BCDFF03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:45.741{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51695-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000653710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.510{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B30-609D-7C53-00000000BA01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.507{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.507{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.507{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.507{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.507{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6B30-609D-7C53-00000000BA01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.507{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B30-609D-7C53-00000000BA01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:48.506{7B03F3B2-6B30-609D-7C53-00000000BA01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B4AEE18AB74DC512967EAAC62F1252,SHA256=47599739FD0D783C522A260B3BB77C2BC96D8532767DDBAC594A89CEE992D026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:49.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8F931CD671C3D995C3BA7A85722E7D,SHA256=63AA5396EE2422572D4922F7EFA132AA53A00A8A26BBF21896A5345AD285FC29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:49.020{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281644C:\Windows\system32\lsass.exe{E1BD9FC2-D2B7-609A-0100-00000000BB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000653723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.702{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBEEE57EA49DD8EF4E34F7206DD11956,SHA256=CA0E0184A8BA11869C74C7E99438B1C8ED2A794FEA8CF392E9834D11F1938E30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.360{7B03F3B2-6B31-609D-7D53-00000000BA01}42442384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.183{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B31-609D-7D53-00000000BA01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.182{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.181{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.181{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.181{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.180{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B31-609D-7D53-00000000BA01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.180{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B31-609D-7D53-00000000BA01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.180{7B03F3B2-6B31-609D-7D53-00000000BA01}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:50.733{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B35CAE3750959FC5815E8F12F877D4,SHA256=B23E97C35FE255334D8879E614DDBADBA7363BD8F7D190CE30CAE4D29D88507F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:50.584{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042EF3E1071A2A0751819397E541AF38,SHA256=C80363C2754CB4728056C2B254B688F8A1F24D4103FDF6B3ECDAAF9AB1EFC145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:50.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0CD174BB17CD74F48FFEFC678D8B91,SHA256=C169E159B76CD025AB698865103A0527F4AA400D41D9C8D571AC62189B36CB13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.992{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B33-609D-7F53-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.988{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.988{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.988{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.988{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.987{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B33-609D-7F53-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.987{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B33-609D-7F53-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.987{7B03F3B2-6B33-609D-7F53-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.782{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F54A8DA6EDE33139B0CC0A88998A2CE,SHA256=24FD4A9FE942D01EAA9E3B4A5256A8E3DBAB7B9D8EB040DC559CE3A206B68D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:51.600{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3CCAF4B4B608E44B53A530B6ECC4D2,SHA256=8483D2B111C809750CBEC53FA83A45952CDFCE24A42FC3E51FD29EE0C2E9E74B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:49.270{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51696-false10.0.1.14win-dc-18.attackrange.local445microsoft-ds 10341000x8000000000000000653734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.289{7B03F3B2-6B33-609D-7E53-00000000BA01}34923868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.121{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B33-609D-7E53-00000000BA01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.119{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.119{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.118{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.118{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6B33-609D-7E53-00000000BA01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.118{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.118{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B33-609D-7E53-00000000BA01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.118{7B03F3B2-6B33-609D-7E53-00000000BA01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000555469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:48.666{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51696-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x8000000000000000653748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:52.962{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=078EE9F9F03632F17F79663C6C334514,SHA256=C81874555F2FE95DE18E5BBCCAC1B802029FFA29FD30813F3F31CD1060DE47CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:52.790{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61664492587C0ACB50CBB13A1D56BD0E,SHA256=22B570E0FD190BC5CE8915CD1AF9CD142DE333296CD484F89D0DB1F1BE698A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:52.647{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B711DE6794A41EE033AF5F40C89D843,SHA256=68FE8DB95334FDB8D54F73AA3E55FF2DBA3CD7A74C57E55FDC3EB5146BFA77EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:51.297{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65265-false10.0.1.12-8000- 23542300x8000000000000000653745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:52.075{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=781437B6736EB353C5C5C5444DC79040,SHA256=F23AF9B6135110FD2655A2FE5140F9440860ACCDA8306550829E7C3C68E1C759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:52.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B520160A4CEA36676C123130AE8A2815,SHA256=D35E078B56955C47E93B313258E347840E9DC716A19CEF4282EDB6C426190E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:53.811{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0637D7576DE089D683933FEE179D9F4,SHA256=629942B229777D080D6DF54B9872B6B7A318C6FBD2F4CF5F7DB3EA31C5D05599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:53.647{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C5AF8320BE809E746CF8DAAB1B5298,SHA256=4E24420B26CB6A382B6BECEF766E747D07D4ABE2272C068146F57D19CE626DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:53.274{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04910AC26A8D59BBDE6EAA358EA8D123,SHA256=F5F605E799A5CDB334184E8EF490CEDE2C749B3A27C4BFC678C747ACD11D6736,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:50.851{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51697-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:54.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC604E1BAC2521B720CAB01085032F38,SHA256=1789534E6D7CEAE38BB383B4A8BCFCC238C3CCDAE78A57ED9707AF53CC884798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:54.819{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD299F745BA7AB3E82294E0CA94584B7,SHA256=1704560CABBCB849F553D83602C797021393F49A49D7782F6F234CDA340D0D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:55.825{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B13600BE2CF002AE2A861C12B1210E,SHA256=C693859A9A883A35061C5959E688FA897016BF51833A78BDBEE05C47EA6267A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:55.663{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BC359DC6CE7C4BB77C9907B0A1C585,SHA256=BF5188095142727604D812BFD39CDCC2EE6AE17DF27F032FF02DBEF6CF2CB3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:56.841{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C053728D115EF45800A5CCC046D04C13,SHA256=DC4747145CD34CA1D04455444418B869C25D097AB4F69DE597A378C4A60AE751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:56.678{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D01E44EC1B4212DBFC25FFC2C86219,SHA256=2B0FB66143BD8023BD19C19050A0E56A49C0D8E6CD19D33CC02FEACB981C9049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:57.855{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452B0E69CFF37333298CA1780697CEDC,SHA256=BCF12801462B24AAACA309CB5401DA44FE24B3B59BAE12313F01A63D9E06BCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:56.302{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65266-false10.0.1.12-8000- 23542300x8000000000000000555478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:57.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFDAA46A2DAB02E0692AD3FC942C282,SHA256=BB6C2FCB673E1189E11C5EC69CE3B892CD62C4AE3FB6453230214988B55D6812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:57.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=377F9C1EE9AB72C2E823BB251743E3F3,SHA256=6ACEFDFD8B8121606C3D9700BE6FD9BBA85D908E4B8EB4A2371B273C22119798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:58.709{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A146E5664A2287C9C180FDC3A575D34A,SHA256=428052EFCA4C827412E0604F04E974ED22B4DB35BDF0E40F72509586E28999C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:58.868{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4207B390992A7F78E1FFC69AAD3B67C0,SHA256=AE3BA0B3AEA59CB86953B15D0D1573D53C60556B080C7F854ED68B0CCAEE40A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:58.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC19B25F754A70FDBA37833282703EE,SHA256=795A42AC75195AE469F065F6939D111B535D748FE4536DC298DB8460D61D1115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:58.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F231F072F2680F46E956B3D60CD1C280,SHA256=5E9E91140442D2B9707181631FD1E2FA82ECB218A34FC507A98FA4934A8363EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:59.741{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9E360B6FF9AB7DB1DE2C54E51E67A5,SHA256=85BE350F852AD42DDD12D0C684F4DB43E1EBAB89E7A1D738464CC139A6C51469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:59.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0FAD4C28206202C909E400AF5395D5,SHA256=934399ACC9C9C398446797C5A20DC42283A8D0346FE7D2D775476CCC84A54D28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:08:56.820{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51698-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:08:59.099{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3079E180DEC59F7C6B7EE2C8E510E5DD,SHA256=A4E19B6D2E60ECA85C188B6A628B7F2506E7D6DC37505B0283B2BD10FD088584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:00.882{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB4C1FB11899ADD6BF288F3C91CA9F,SHA256=263E8ADF30A28BCEACB9864BE50F838373839E9D41C933F3D82BD3B4E2DCB39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:00.741{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519FDF0F76E6CFD5EDB20AEC3FFE6CC4,SHA256=700E2244727472626FD3749EFAE123E48CD1C3F96E132891E026F5811DBC963D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:00.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE806110BCAFC52B693167F3EFA1A40E,SHA256=5A4ECF261C5852FA51A0BE0D4E5A866DD68C6AE354820AD874A172D7846F496B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:01.897{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD24B5AA259707D6D9E7A76CF061540D,SHA256=CE04838F4C2EFDCDE0A510CE81DE99698BFE09F9083501E98063EA51037766E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:01.741{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287AD48F665F4B6616FD59CC4A12E9E0,SHA256=2EBEFAEB142222EEAEAA7D2D3A223011DC208C3026039C877C7C0BE44244B988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:02.741{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CF47D0405E43FA71E3A881DB95B276,SHA256=80FB1B0695E7F35CD9A003B33C20D6F17737E5D9F1348E293C78749C3FE0D55F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:01.326{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65267-false10.0.1.12-8000- 23542300x8000000000000000653763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:02.102{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2676BBEF614C1C3A7605DEEED92EBD03,SHA256=1957E3D58BEB970034137B573031F08895273F7C5E72332B5C80708F45F7C281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:03.751{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2B1D1E26970D80BCE05966634DDC5D,SHA256=2504CFAA6358E2111FFC2A828E848A2701FC9068988C32D960046CE3183F5A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:03.116{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513CD97BDE60BACDBE0BBE0FB455AFB2,SHA256=CC4152433A8147672B4FA79C5FCE1974EC97963647BEC7DC64586AF712D69530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:04.780{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD331C2EEF2188E6A38ECC38ABE63FD,SHA256=F40DD6DFF7BDCE65216ADADD6114C37BDEC74F158175DFB76C95E417FC1FB688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:04.138{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AEB27CB89D410543AAA4C9BCC4F605,SHA256=B6AA640A710E44C18D518832AED2587049D424F345C1718F8A2B37C551B36118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:04.266{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC34E2D9556E0B31C602AF34D1914E19,SHA256=3080CB25E8A4C4AC3BB64312A02B996B271B7A48B1F8467CC3B25B3A44302E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:04.266{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC19B25F754A70FDBA37833282703EE,SHA256=795A42AC75195AE469F065F6939D111B535D748FE4536DC298DB8460D61D1115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:04.092{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45B33B2FC452F9C0DD264E2ABC4489AC,SHA256=4A0CAAA5F9AC38B05AA3ECC8BAFC8CCC4876DBD930415B64BA7C62FEDD6BAE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:05.781{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D441596C3F2896F31819D1CF61E4C06,SHA256=16B59AD93772CD1439429960C3F1921AB2E912CCB9E6F7074DC8FADDFD87CD7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:05.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4896B594B6E82BBD96353CA9EF25BF8,SHA256=18A5C867FAB7CC5BE26A409EB26277EFAE25F65C913D52D0D0BD6A5622BE25D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:02.877{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51699-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:06.843{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584B427EEB9FF51F94B07F252A6ECDC1,SHA256=5A772A2922A5556A502EB47B1A833DF0A40475BDB335146FDC2486DE3694343D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:06.209{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE88972F5ECEA705470BB3674173FA84,SHA256=89E0AA59C0F58F59CD54EF3955CC357A1F75C9F066B4B80A4A67F6E46A3223DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:07.875{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE9C9FDF17A753A984A18DDF3A37101,SHA256=5E42E39669F18E69C1A8F2912FBFFB748193C0E2B22793CC21141E5B472051AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:07.219{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C875219BF551574F34C8718F80EE257,SHA256=0A8765AEB2ACFFB56652ECDACF5F0AB45145C52B8BE12E99E0262412A9417244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:07.143{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=808A9D1F20B5A421B9A58206D1C77331,SHA256=A409159B744562D30E140B5011F392345E6E56476B9125D3CFE35CA28F5699DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:08.906{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517AB0A9946B805769E8FAF52DD8D75D,SHA256=115AD194E40E3EB41A5FDBBEFBFE142EE6C9B93909AFB57CE205E3427B866A12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:06.372{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65268-false10.0.1.12-8000- 23542300x8000000000000000653772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:08.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB38B73C25CC91D57CFDE641651E49A,SHA256=BFF114A68EAD6EAA281068607D78F99B9E376B66D4953E82DFEE7A4CBB043407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:08.812{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2FD1C721C249E2454C759A5391B69667,SHA256=85A8F6BC1E047BE6B88B5AE64B98A83B26CD79B1FD83E4B112E003D3E5E111E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:09.921{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AB6B1F7B2B6E76A2B350E75DADDB46,SHA256=9FA39F46B61EC5432B70F06F6D752E300F651BB400A129642A5E268EB69B7D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:09.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B731C2655689095E3DED1EF48535A7E3,SHA256=BBC284ED644B55E5D304942D193C081087060142E3573444E3B0251CC16AE1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:10.984{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF93932ADB16780698DB892CD9FE8CF,SHA256=1F1BFDD4B818EFD9E086B8F407BFE1B043302F9EE1D3CEB710AD15C0692A134F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:10.242{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF171794309D03EEB1EC1E771F53F30,SHA256=E04A00B6C823BC6164239202A7593065E4736FCABACB1239B6DBDDADEE595A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:10.015{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4EA42608B2C40E59934E0DD8DCD5508,SHA256=EB90F29063964E8A4D37D8573017A07F9D643CAADAABABEE2A378DCBC1BE253E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:10.015{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC34E2D9556E0B31C602AF34D1914E19,SHA256=3080CB25E8A4C4AC3BB64312A02B996B271B7A48B1F8467CC3B25B3A44302E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:11.254{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C9EF4920A9899A9035A88DAE7A7326,SHA256=579BA231015B73451B8FCA0776B93F6D19C813106934070C67B4D2A08E779C81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:08.657{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51700-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:12.276{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D1EB4F12F6D5EB01AB1C81EC79D070,SHA256=02B801026185533C59C53F91F01B6AD9E7CEB43D452B9BC2F2895B5915E44A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:12.015{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F8353F441951ECFC64C363C7F7DCD7,SHA256=5FDB6090E1F78727384062C63F29743BD671CCFBC36FFD6B41EF0147F6F954BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:12.217{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E1F464CE1C7764843846627173B0198,SHA256=D82C956E63673DF1DF9B411174A428B3B253F420F52487D69E81D8C655F09901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:12.215{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9767A11EB0B21F38956D1515100CFCC,SHA256=FB9C8999A3E48E13A5719EC075D60EB439FA0660DEFD85FBD10C2C98B0E7800F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:13.497{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDC3C55CE3967D4D672A905AF5FD590,SHA256=0B53A7BA126F5CCC82439D59E7C195A8E79D23168D01C783896B72B14AAC712E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:13.031{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E697E68E3956EC546571F0159E9064,SHA256=F6E76100D6F9746346661D83583D7D21BCE688A2D4749746E6DAB47C26696A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:11.453{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65269-false10.0.1.12-8000- 23542300x8000000000000000653795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.511{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E32A005994C428239B5761BFFBA3A9,SHA256=531C3B7C32551A4B37B924239617787BA2880676C51EEE39FCD44C8A80816B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:14.062{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7635914CE6038CFE9B7A9744BF51DDC,SHA256=94D0E891AF9D3AAD74D4150CF7AD5CA5D6E27279A9825987AC8AF911B8ECCA3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000653794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.150{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000653793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.149{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=6E34582B283FD098D81A4CFE6ED38B3B,SHA256=5F571D5D4D38E35EF33DFBAB7ED2AA4F4A7852AECF1CDF26A07108281CB96308,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.068{7B03F3B2-6B4A-609D-8153-00000000BA01}58523324C:\Windows\system32\conhost.exe{7B03F3B2-6B4A-609D-8053-00000000BA01}4780C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.059{7B03F3B2-D0CA-609A-1400-00000000BA01}10761472C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.056{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6B4A-609D-8153-00000000BA01}5852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.051{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.051{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.051{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.051{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.050{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6B4A-609D-8053-00000000BA01}4780C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.050{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-6B4A-609D-8053-00000000BA01}4780C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:14.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:15.513{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAAF9FCC5CEF0005B51CC947C32F974,SHA256=53C8D40D7A53F7117535BDC1F4F5AEF9246585914C00BE47518F0DFC21BC8563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:15.187{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A85F5042658B8DF2AEA7244A5EC6400E,SHA256=C797B1EEB14ED7FA67024E0C8D65A6B402A919CE8135C17374AE574D0A9A741C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:15.187{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4EA42608B2C40E59934E0DD8DCD5508,SHA256=EB90F29063964E8A4D37D8573017A07F9D643CAADAABABEE2A378DCBC1BE253E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:15.078{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932ECDD3BD871776483EE20BA7F87E79,SHA256=A2B7EB99C8C5D7FB52A5DA0B867990E3FB7FAD0AA876A28E93CA6381D6155BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:15.020{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E1F464CE1C7764843846627173B0198,SHA256=D82C956E63673DF1DF9B411174A428B3B253F420F52487D69E81D8C655F09901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:16.530{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD105E214FFE53F50EAB73C5A52C5C4D,SHA256=0C734B3B2226BEDCC4790D868BD904170EE044AB468CC2248B61EFC06C6A959F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:13.798{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51701-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:16.093{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379724A8DACE77A00940BB968CD04F00,SHA256=300984F378DF79E3E0BC8999208CF791739488722286DF0867A4B31E309D2831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:17.629{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF569817DB7E972436D71E62AAB2149F,SHA256=24F5D3F9BD2213684915C2E9EEA8965E8AEEA879E3452471D911329D34F7ED4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:17.548{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACC29C77BEB7DD6296F06CDE4AD582,SHA256=322436FC65CA919083342699A6ADC9AAF326E3DF48701EA6178B0334FF2627C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:17.109{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E509599DB40183DF79E25FD0A2E6FC23,SHA256=0A273181E3F40091C66B68ADD50F25AE034F33B0072363FD9E346B1A50CB4110,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000653806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:09:18.603{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000653805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:09:18.600{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000653804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:09:18.600{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000653803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:18.552{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B603A679651780714C4E236433E7C2A,SHA256=1F9B9851B11934B96200589AAA2E36FAF9F9781330CD770349CF9052ED41C273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:18.172{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DF1D6B813DADCA90A6C3764BB2746A,SHA256=9ACAA9EA732AD29CED11E2A4A6658686D74D3FAF2F565D94143FAFA90F113136,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:16.664{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local57341- 354300x8000000000000000653801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:16.663{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local59326- 23542300x8000000000000000653809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:19.569{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3BA1CFD3683B266539714F8CBA60DC,SHA256=2FE61FC0E4FEEE4E3EDFE5FD1095F30EAC6489194F0E4F5A76FD390510346154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:19.203{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83E977D5B426A08C7200600CBCBA5A5,SHA256=67F3CE000F2AB3D84E42A2C72A656C52E33B9E95BB335919586600813756270C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:17.440{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65270-false10.0.1.12-8000- 23542300x8000000000000000653807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:19.150{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0893DA30796131A537292A1D0DB62693,SHA256=8BA3EE2CE95195F6D637F009C312B40CF93E9DD13047647C10AEACDFB67FAB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:20.631{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8220F30562D3C50629673CB0D484F44,SHA256=053CBFADE3EB0AB3BBFE36A32422674D354BBE17F64E54B9B0E0263860F78304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:20.581{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8044F990F767B8978510011FE5B512,SHA256=D2649F0FCAE266DBC0AA75493AD965D87C87133457B68DF58B777A71359D00A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:18.876{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51702-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:20.250{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE41D9075A693C28FD7E60BFF9ED39F,SHA256=13B3F4009EB016AA240D5DAB7AF465E67D7A7320E9DA1698219DDA6DFCF0D676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:20.250{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A85F5042658B8DF2AEA7244A5EC6400E,SHA256=C797B1EEB14ED7FA67024E0C8D65A6B402A919CE8135C17374AE574D0A9A741C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:20.203{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7919C16197CA07250D2B6777AEC3095,SHA256=9349E3D69E4E92126F0BCC05F5538AC12611095A56749712513C7BAAA18053F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:18.852{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65273-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000653814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:18.852{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65273-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000653813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:18.846{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65272-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000653812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:18.846{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65272-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000653811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:18.829{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65271-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000653810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:18.828{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65271-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000653818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:21.595{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC61B2E8987253596A46534FA4FF390,SHA256=3058A380539AE18D1B1261A6E9627B7C579ABF7950083F5D86133F60A1BB1410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:21.250{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B270097A27840C6C83F3FDDD253DE1FA,SHA256=0B96CCF5AB16B4EB2742A95EDB1875447897865A6CA0A1FFE4356CE7BCF8E5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:22.604{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1138F98007C22FFFACEA5926ACDCEED,SHA256=7894B6BA465382A4637C678C1AF014B198A8AFBCA4D070724A4A6FFB075D50FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:22.265{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C4F68CC331127F3FE210FB715FDDC8,SHA256=2285833405C27659F7E1B55723F85A816D191154274F4819EFA889C0C7D0AA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:23.626{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462789AD8C15B4E4F54FC784AE114B2A,SHA256=AC8D335783B5ACC3A1B33A0AD11A654687CD554C60DF65CAD0D385A59C82CB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:23.272{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F89BE96C90C75E18DB3C6F1177B5DAE,SHA256=2BD98FCE94BEEA7F6A7897134F36E2E0A64917C0BF87D1E8F764680AA7D3D2C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:23.110{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:24.630{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46EFC9CA2811542CAF41DAD9DBD845D,SHA256=779B007767619388EEBD4B737FDBA649EF11999177157945A0D8072C814704EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:24.319{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6E03A317844A4023C18EB6725BF189,SHA256=F940EE06959DA1AF2672DE30A36FE13F098A72805543F35CCBF4DCB28CB244C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:23.345{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65275-false10.0.1.12-8089- 354300x8000000000000000653823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:23.314{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65274-false10.0.1.12-8000- 23542300x8000000000000000653822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:24.091{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20759279EC0DCABFE58817DBFF052BE2,SHA256=0F320AC762DBA370C33291CD554D8311E3F0FD744340C5A847F161F70C449DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:25.642{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AF06AA19B251236CA6B02C58CB141B,SHA256=78B1261CE8B7056F7CC469EB8B781B46BC6828FB3CE0B7A53F972132912F47B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:25.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C230C278F6B151ECC73CC30BC22D37E,SHA256=56BFEB5604ACAC1756D762947DD5CFF3FE957B845D3E3E32D64BB068657B45EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:23.635{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65276-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:23.635{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65276-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000653831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:26.685{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:26.684{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6BACD8C28A429752E1BF7350E0DDFE08,SHA256=963B02A039F586C19363A97A990DE0F3C6BD2D3ACC1B06BEDA02D201AACD8F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:26.680{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6A606901B3F1AA161B6B1C932DC02B,SHA256=E5E73BCA68B380F6AD5390E1DC670AD572B4284FB8BD58448F28C7C80514C7F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.943{E1BD9FC2-6B56-609D-924E-00000000BB01}30603788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B56-609D-924E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B56-609D-924E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B56-609D-924E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.819{E1BD9FC2-6B56-609D-924E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954460AC614EAEE0508A58DE45D56B67,SHA256=AB2DF350C1F9E71FA6F2D73E2A291B8F05C786EF7CE0AFB0AEF08543BF163264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C33B4C089EED63A93613B5B1D8F1D2A,SHA256=9CE006C9984305A7B82D5687511455C0C32CC99B7EDB4B8D698E66E4BF72D311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:26.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE41D9075A693C28FD7E60BFF9ED39F,SHA256=13B3F4009EB016AA240D5DAB7AF465E67D7A7320E9DA1698219DDA6DFCF0D676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:27.698{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D50149722840BCAEE5F21DD2DFD347,SHA256=CB7182C965FC6ABB9B421C0F98FD756ED69AEA7EB8DA0E7C9A98E3DA5C5BDAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.865{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C33B4C089EED63A93613B5B1D8F1D2A,SHA256=9CE006C9984305A7B82D5687511455C0C32CC99B7EDB4B8D698E66E4BF72D311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.772{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B57-609D-934E-00000000BB01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6B57-609D-934E-00000000BB01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.490{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B57-609D-934E-00000000BB01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.491{E1BD9FC2-6B57-609D-934E-00000000BB01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496B209BABD07B83729C6F756D0A5CEA,SHA256=C6630080AE4F77BDF6343D966C5E11C3FEAF0EE55775A470FA8A87E31299A91F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:24.726{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51703-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:28.707{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719E6DBA23D4F60DDEDE9D7FED3C6523,SHA256=9908A5C3315698BE699B6F4D053EF8F09405E8DA0FC4717F31DB003993C22567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.569{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83F93E2CF0E1562C659881D9F84FD2B,SHA256=2C9B33FD3504AA793C97CAB126AC6E424C44238277277F0792771105D9C1FA17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B58-609D-944E-00000000BB01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B58-609D-944E-00000000BB01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.162{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B58-609D-944E-00000000BB01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:28.163{E1BD9FC2-6B58-609D-944E-00000000BB01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:29.803{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD4C586C861F3EDFA8A5DC528CD4467,SHA256=A5537E80C12F9136074E1A38DCEB6A4127A8E88C26493904FB1DCE15E9A00111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:29.715{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C153A0549073EE65DFA4733E7631115,SHA256=24268884A213AA91357C1ECE9BD68ADAEE7CE94B3535427799953F2957F7C0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:29.229{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=626A7585C1F0F4B020ACA0EB0A72E87A,SHA256=6486A2504EFDB6F620E035C54472CDD9336CD80224E45A04B2C6CFB2E6EAA912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:29.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=389D939A08FD2DE53FE8E2D8ED557C33,SHA256=E63222FF7B3BCBA28FC37AFD45DF4090BDCAE3A12744EE544B0DE156736025F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:29.162{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B929EF2ABFE08040A8E8C33CD56C0056,SHA256=9175506521C0136EDE0523170740A8F1D3E0F2A6292F099F5778506C2F6310CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:30.748{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F84EE039300239C1637B2F0CBB6643C,SHA256=7CD44C468275BAD5B9239E74A5CB13F8D45E48A80EB2290A0A80A2A65A19FD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:30.850{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D88F4925BE94CB3629E11C44250875,SHA256=F466BF18368136CD1EC52E4B2FF7BDC946A1124A088F6B03D9C4ACCB46617148,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:27.398{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51704-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000653837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:28.465{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65277-false10.0.1.12-8000- 23542300x8000000000000000555575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:31.850{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FB81B2C2BC4AE8A48DFDC76B47E450,SHA256=5592ADA463C5BA179A639262E9E4FD3A23A6C1D0B32116F1443851D56D5D4E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:31.764{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198E9B274A434C64F6B69786CBED3401,SHA256=1C369E74BB81B05613B47937D7DECF302ECF2ECA50E1DA6A4E75A5C1904F39EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:31.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A50F30EFCBFD312F7741E04898E77F1,SHA256=166A31C4997047FBEB356A82917486D16EC96FF41D5A3180CE4FE759CBF8FAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:32.881{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4102F8489B966521C1D5C823A93A42,SHA256=46146C5F975D8C4D39E655745355DA814F51D22860F5EA6C1F14ED20D6655FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:32.775{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3B19B498F898D8CA2E97478C0A0D6D,SHA256=C34A2CBE8387AD4759D9A7D656EC943C6F41D93CC91D08545CF5759273125D8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:29.820{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51705-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:33.881{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD20D637AD1E64EC51B62F92316AE3B,SHA256=10595D50970511B90A774C1391C61178D09065720E1110FCD9BDCA37FA22C899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:33.786{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07053599B55F99DD4114CF758677277C,SHA256=AEB5C691C731E050489BAC5DA4D0C533C51F7EA8A33E466B75FC160624AAAA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:34.944{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4620B88459333D81480D10E144DB8D1B,SHA256=56BF120D9AD248A99D432AA518E3C1D59BB329F760B1DB33EE201259BD20945E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:34.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B3E82420C576E7D79ECB4F9AC32FEB,SHA256=A60EF63C1265320AD4D6A245C6956D7A2A183BD4DD140694B19DFFAEB606AAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.975{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A0963ED98A617E341316BFDF3500C4,SHA256=14850096C059126506E8937E3B0369FBCD041D287E9A8A2E9B41B1236FE48CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:34.306{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65278-false10.0.1.12-8000- 23542300x8000000000000000653845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:35.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147245476E01FAE7C287BD9574059AC0,SHA256=AB31B24E292367E2CF842E5A5282BF618FB57C8582EC64ADC72BE3F9E7AA8B72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B5F-609D-954E-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B5F-609D-954E-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.928{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B5F-609D-954E-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:35.929{E1BD9FC2-6B5F-609D-954E-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:35.070{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9708D5D9914B1106E44E81BB68C8D2,SHA256=CE3CA76E7AF9072ABBF5B3DD81DCD7C30CF547FA1C375DC86FC3DC1FA8B64157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:35.068{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=626A7585C1F0F4B020ACA0EB0A72E87A,SHA256=6486A2504EFDB6F620E035C54472CDD9336CD80224E45A04B2C6CFB2E6EAA912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:36.832{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3262955741F49092788CBCF6FB6E7BB,SHA256=204873C5319633CABA88B1A5344737B358F9DA03A2C21D11DB60D5E337309904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.725{E1BD9FC2-6B60-609D-964E-00000000BB01}23882836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B60-609D-964E-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B60-609D-964E-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B60-609D-964E-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.600{E1BD9FC2-6B60-609D-964E-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.256{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2320AED3FB1B62EB77FAD09A35D70F4F,SHA256=E73018BAFCDB3531AFB2C18BBA3EEA6A9437E9D6ECCDD35FFF54D7E5C837FB23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:36.053{E1BD9FC2-6B5F-609D-954E-00000000BB01}9281760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:37.852{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69540E8533CB216BC565B77F79E55D8F,SHA256=173B4D12A814BE1F007AEF0673C8347499CAB84566465B97193F64056FF3E890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B61-609D-984E-00000000BB01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6B61-609D-984E-00000000BB01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B61-609D-984E-00000000BB01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.944{E1BD9FC2-6B61-609D-984E-00000000BB01}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.631{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB0E958E91F07F0451BDFEF1A5F70440,SHA256=28346B9916B05768EB0D994B99B7BA48D37330762D1E60C402937940CDF4E779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:34.836{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51706-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000555623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B61-609D-974E-00000000BB01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B61-609D-974E-00000000BB01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B61-609D-974E-00000000BB01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.272{E1BD9FC2-6B61-609D-974E-00000000BB01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:37.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD76658E95406AB295048603E0B10D8,SHA256=072BDB1B26014A5036A3AE3D19EB1B986E8402B87E950E65B83F87C7B4A74C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:38.859{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0174D77CB410F2A7542789460865B2,SHA256=F3BBE78A9CAC238AD7A54513E473EC19D207EC9DEDB2094B2EF60203665B6E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:38.959{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0E7B4A251389992086CAD0133E0BA78,SHA256=2F3C04DC8702BC27514E6A40308C0EDB90E0FC97B12049F2A87AAC2C18667FFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:38.069{E1BD9FC2-6B61-609D-984E-00000000BB01}1002892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:38.069{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDF9561724447486C638862556F8E6E,SHA256=23C80799BF19EF2DE9469D11C2E6C596F6C8FDB7473F6C3B31C184E164F7E6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:39.867{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E8161F5CBA0114AFF43D53D229955A,SHA256=803A6D5C703452E103270064F6327745D1E31A7ED8DF4A6E01E68D4D8107BA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:39.240{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0596C278F706322E747F33C6D66726B8,SHA256=C6D49F5BC6B584122F748444A8CD1E087CED11034365F1F7F8B2600123FDCED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:39.160{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9708D5D9914B1106E44E81BB68C8D2,SHA256=CE3CA76E7AF9072ABBF5B3DD81DCD7C30CF547FA1C375DC86FC3DC1FA8B64157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:40.883{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F7EAC3DF3ABE7F9837C9CB08091EA3,SHA256=DBBC7FAF3FB23830D61D1AB737AE2A0CBE7305120DCF764FE4E2AE521DBDEC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:40.272{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F82520BD62248A7908F83F0F38B25F,SHA256=17EEBC0D07B2CF5E54F4277BFA1A2A4E1A70DAD58367CA923756C8EF77711333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:40.264{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A6092A86C75FAA374792A52AE4D60F4,SHA256=BB9456D1FECC56F0FF710C3B18DD63FAD9FA27EEC96AC696A7781F10E929A741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:41.894{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CC072687D29A93F156A6E584EDB032,SHA256=FA7E7E36B93D79859E618095FC52B0BE29E3FA60A723F6FC1438588765707A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:41.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97805CF05EE6CAE829F5A53A950CD6B,SHA256=009E579B045064C0EB8BDCD7F0909993BCC25B85C34BC83424BDD9F6210EFEDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:39.487{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65279-false10.0.1.12-8000- 23542300x8000000000000000555644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:41.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1318552F306AF441442D54E64B60EEB2,SHA256=4C82954ABF2AFC29AA730FA16149A5CEA0AD44D551A7E2A91CB291F0C043F796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:42.902{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E14315EC7EF0F23FC1D2BD38601E850,SHA256=5A84BDBCE01558916D32E391EB1F161665BF96BD37E3A935C8DFF27A9CDC7643,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:39.851{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51707-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:42.303{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2A5FBC80129631373BCB7B28E32CBF,SHA256=9AC0AEBFB1550C48C88D344F6A31DB5BFF3DCF90064EF69576B7A2E70689C723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:43.915{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05204F935244B81C65A884292008A43D,SHA256=D6ED05CF2CD65F8CA5246B14887881C50220BDB817A557FE701889B3968E5D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:43.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D3A5385D4657493F837D628BF1412C,SHA256=32CC585CBD7F3952827B39BE3CFAB26CD82107C56D239AE5FBD023EE4B93545A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:44.944{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2168949D946EA87AD7D8036F3C227ADF,SHA256=37FD7F3B78A8E88532FC9703597A686749C1A8BF8A267C431CC3FEF466BD1BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:44.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79C7A2F3E213888CF81ACDBF351FA87,SHA256=17D295D9C3BA9E01BDF030F108591F745F08BEA3A1D401CC64A26FA831D8666C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:44.117{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D15394948AB5D08C5814B23A4956D56C,SHA256=F16A022B6AA8B6296C961FFD9D27D32F98593ECA38F117306A14283C37DC21E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:45.959{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC92DF52F2FA6F913436DA3FEE6662B,SHA256=D179863E183324205796B86DFDF955F6DEEDB3302C504A7EFB842680FA32E3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:45.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE6D274999E1A5AB473F7E2A9612B9D,SHA256=FD8307E4E4867297DF1919AD6A3DA6BFE708EA0153ACB409CCB479FC6DC4E0E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.998{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.998{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.997{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.997{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.997{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6B6A-609D-8353-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.997{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B6A-609D-8353-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.997{7B03F3B2-6B6A-609D-8353-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.970{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FC40A7C24694003D74E20654B69414,SHA256=661C89B5A2A9E6F284E7FE21519F2087555690B72934D4A7073DF7CB2D124AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:46.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F89FDDF21063A27EE78EF54E49D969B,SHA256=C6F0A7F75DE8BE8103EDFC0A319DA8121182F7AAD96B378AB56644C9C973382F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.333{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B6A-609D-8253-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.331{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.331{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.331{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.331{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.331{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B6A-609D-8253-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.330{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B6A-609D-8253-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.330{7B03F3B2-6B6A-609D-8253-00000000BA01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:46.039{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3EF47A28525C231FBCD32B5A4E734F9,SHA256=B1CBC35336F49549BD876D07154023FDE2EB5DFC857E48DC374E1AC1FAADBD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.992{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A2A9CB7315029D0AF239C15E2C1017,SHA256=9F28D0C80B8C5EC67A76131A5E3C0C72039373673AA7BF3002F3671ED76AF181,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:45.695{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51708-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:47.428{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB873799FA83DCE4DD2C99615B7F7E5D,SHA256=B11D7F18E2CB74C04C6237A7A9788BD3F0BE3FDE01C51E76F9E9EEE8796AE7CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.862{7B03F3B2-6B6B-609D-8453-00000000BA01}75367528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.682{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B6B-609D-8453-00000000BA01}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.679{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.679{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.679{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.679{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.679{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B6B-609D-8453-00000000BA01}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.678{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B6B-609D-8453-00000000BA01}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.678{7B03F3B2-6B6B-609D-8453-00000000BA01}7536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.335{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BF1E9217C1685CAC470B501B6A30C9E,SHA256=7437C0FE6BCE59958F5D535E8B92C605703F082280CEBADED126996E34147E69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:45.270{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65280-false10.0.1.12-8000- 10341000x8000000000000000653878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:47.000{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B6A-609D-8353-00000000BA01}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:47.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D490695B14C54972AF34FA5B93FF1F4,SHA256=50F8A64059226BCE6F2849F3B48FEEE2B6D2CD6DDCDBAA2D3D9AADECEBA2858A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:47.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27423EE42D57F45AE41679FE029888DB,SHA256=2838B893EECB754FD49B6A302833ECF1DED01AB8CB076CE1CED4C81545538489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:48.428{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0849D8AEE9CAB02A9B3C68D48EAB908F,SHA256=0AE08DA683AD5DC5DE7629D71DD76014EB4FB9343E0348ECCF361EEAABE8CF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.690{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD498E75E3C11D5E5DA513F26091581,SHA256=210EBD4CCC3543E0EC9192339DB7A342F77779F82967BBA50E89250BDDA536BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.602{7B03F3B2-6B6C-609D-8553-00000000BA01}17888116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.459{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B6C-609D-8553-00000000BA01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.457{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.457{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.456{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.456{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.456{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B6C-609D-8553-00000000BA01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.456{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B6C-609D-8553-00000000BA01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:48.456{7B03F3B2-6B6C-609D-8553-00000000BA01}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:49.474{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675B6515DD0C11F2B480452E9763E9EC,SHA256=1250BFB8B5FE53474FF2F207E4D1BE83784AABDC7CFD312724B5EAB7FA7E15ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.234{7B03F3B2-6B6D-609D-8653-00000000BA01}80403412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.094{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B6D-609D-8653-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.092{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.092{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.091{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.091{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.091{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6B6D-609D-8653-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.091{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B6D-609D-8653-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.091{7B03F3B2-6B6D-609D-8653-00000000BA01}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:49.003{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184405F96286C5793E5AE91B04095F99,SHA256=030C3CD7B637484E6CE3E2A9369DEB57626DDE9683F26D8B73086669ABEEAE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:50.490{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AC043E5695F610A30132F39356A7EA,SHA256=34C1FE9FC80219F41C08DDBAA9CEDD581207ABF1525A0423BC415D73F1352682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:50.110{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82114A8F5CD59F2AB3117CDD312CE56A,SHA256=A37143C39B1E5B388A1FE9F7D6B3FED3E0118A07EA747498E42BBBBB68353D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:50.008{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A6E36F4F509B8ED8FE2271D87659ED,SHA256=0365ECB430EDEA6E972013E07FEFF8E98DB44173E1834291BCD8C72D9ED6A9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:51.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB1AE16C9804232FB9F4C642BE3E939,SHA256=1F98437A976801B72D80795D1F515E74786A77AE6A60E079AA4FC276A2CC3F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.272{7B03F3B2-6B6F-609D-8753-00000000BA01}64122476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.242{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F644CA40A06D5C87B907CE67B0C0836F,SHA256=FCCBA4C9A635FB5E5A1622492D3D6C494585D25B1B34D7B782E6F487E36B84E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.116{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B6F-609D-8753-00000000BA01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.115{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.114{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6B6F-609D-8753-00000000BA01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.113{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B6F-609D-8753-00000000BA01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.113{7B03F3B2-6B6F-609D-8753-00000000BA01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:51.016{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0293DB6033640EC74BBA84AF9C2BB8B,SHA256=4B69B22C22F0563BE87DF37854BE361602AA44DE1E22B36B85624EE3F62A8355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:52.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1834096E0F109837DE7F88936B784F8,SHA256=4036AADF960575B953635DE58A9C9D143107EB8BED60ABE6CC398D40CE0B9289,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:50.462{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65281-false10.0.1.12-8000- 23542300x8000000000000000653934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.964{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8BA5E3CCA93E336FD0839C09E293495B,SHA256=61B90119E55376D6578E24305379B0134165AEED456DBE978124BC3B7D58BC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.285{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F55BCD3164DE1D6FEBC1EE49DA9E5B6,SHA256=11ED2793C658B4DA18E430E82D1457903C446E751E83710F6176DDEA120FE997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.027{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31032AC2C0556397AC9E0A968BEDC6E,SHA256=AC973F7DDC19BFFAE0001DCBD270EB0649E03B3955F201B6EBCFE2B6B86CC59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:52.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C5265DAD6DE70CE8697D6CDD9BB4E02,SHA256=0CDE856105F3B7AEF6AF5E5800050AA9B2BC3B503D00992DA12E9119FB0DD624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:52.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D490695B14C54972AF34FA5B93FF1F4,SHA256=50F8A64059226BCE6F2849F3B48FEEE2B6D2CD6DDCDBAA2D3D9AADECEBA2858A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.008{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6B70-609D-8853-00000000BA01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.006{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.006{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.005{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.005{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.005{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6B70-609D-8853-00000000BA01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.005{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6B70-609D-8853-00000000BA01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:52.004{7B03F3B2-6B70-609D-8853-00000000BA01}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000555664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:50.804{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51709-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:53.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D6648F407202ECB981FA6B4FC41915,SHA256=5D7C1F3AC33C148A44C4BA9BF723081512BADC0E10F0377F70B45F48D0FF65BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:53.044{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC48A8A1CD764102D76C541140211E,SHA256=4DBA9A51F91CE3B6CD1A91C8F3368C2437EB25EEBF0621AAFB68470C97D5EFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:54.584{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4B309BCB8C8A6EF3A497221A8A004A,SHA256=D9A0BFFF2BF1B71D363FA61F97F73E8B10BFD1E562BF2D2971F3298E5A633DD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.976{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.976{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.976{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.976{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.976{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.976{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.975{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.974{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.974{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.974{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:54.059{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB9E5281CAF29959E268D1E710777F1,SHA256=AD2F9382F81C1452BD31CFF75DD7CD355EE7CD9E46137FC6006146E20BA6A953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:55.599{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD950B0464F6B8811959070ECA2FD893,SHA256=D712F1E8B387B6F8FEEA3C09D546EF155C513B3D25D07AF9F5075B1B74A9034F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:55.193{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5239E94CE4F63FBD18DC92723AE1EB40,SHA256=FD8542141C2566B0502D6B3720FD7620A834B6423750BDBCAF2FA8C551D0764B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:56.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF886AC652EE56AD2FE87C81E4ACE73F,SHA256=EC4F60F0C4C36FB8884242766CCC0083007CBDABD1D2F9A0A5AAB796468AC631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:56.264{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BB61B508FF227EEE69F1BEAE57BA6A0,SHA256=C14E273ED14867BB5B5944A2FDD00BF4941A718D80E755D14EBDFB08A8DFEDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:56.201{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998132AC1F74E6194693A4584DC34DE8,SHA256=BF895D49C5B57DF44AD1A35DC3DFED81A20146702A00DFFB5E3493178082E43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:57.709{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91E98B793038C8459E2DA42658FFFC2,SHA256=A679F250619DBE35B874F0DF8C01B59D2F97DF91873F649A7F9529AEB7E5D42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:57.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6F1FFC145B1D359116077E740B315A,SHA256=4DF7FA5552551C404D344A844609777A80057E1F2B865D816B3B9AE9646FC4B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:55.498{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65282-false10.0.1.12-8000- 23542300x8000000000000000555671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:58.724{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303C9EF0B65CB2D599166FC8F380F9A9,SHA256=928CB7570439A8CE73C46518091473BE5580730207ABBE8D58BBFE03C9A78651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:58.217{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C0B05FED13D2B02ECF2EE6AA263829,SHA256=2534B13D4623DACB7128742350F338B774ACE611889D62D04E74F461033C1F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:58.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81ACEEAFDBE86FD7FC65B80AC5A46823,SHA256=B01779FDF2B0E409B23A9CDE8B455E2987FDDFC5765486CC7080899503B36A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:58.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C5265DAD6DE70CE8697D6CDD9BB4E02,SHA256=0CDE856105F3B7AEF6AF5E5800050AA9B2BC3B503D00992DA12E9119FB0DD624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:59.724{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69AA7028B5CFA8022C4182F91DCCF2B,SHA256=6BCC5479246CBD2E4FD1E0811F47C65FB17B4755EF82206C2F48A603044F2153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:59.230{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F82229F6DFA8E2C5874FC6A8DF4E6A,SHA256=590FEF6FB7B0FB7EF84C8B5402E73DC3F31C12852445750A852A647BC9F4ACF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:09:56.726{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51710-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:09:59.115{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0E62F59E26B9FC5D1EFC2E4C5CEB892,SHA256=1A2092D4912214BD635BC6FC0BD7CED563C24115556F27EBFF2CF0A382553D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:00.740{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B00291D5DE973ECC110D8F5CD9019B,SHA256=9DB8CCD948B8D6EC37FE8ED49918D2C84BCB4DC26A1777CBB99563A4F0FD89E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:00.737{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\aborted-session-pingMD5=2E34D67A7E4FD6823F87777BF7C90B53,SHA256=75DD66BF0CBDB099A53E02E54AF64D07119B41B9F9E2018FC6343C4B7FBB350D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:00.245{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1B9CD4AD44CB1F398F6509672D604A,SHA256=AB3DCA908462000FE4C6F88C7B086757103DF2CC15FF61B400BB057B3E51F25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:01.756{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146CC7D9DF9DC7036276D947B806317F,SHA256=E1F9BA64C39EE15E92ECD6CDBE0E8C28C880C6AF938D3E99DEE89E08CD4F400E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:01.254{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84888E8AE7376E648BC0DFA5DB99453,SHA256=BFD5358ED55B7E36289A8AE4001A9BDF5FC75DF34AAD32119CC56B248A7AAC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:02.771{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EA108D939F319B8A64732E18583B7A,SHA256=63564A9DB8BF4DDC8EE9C2F4D68C08B0AF12B40D63C56BDAAEA81CE12F669DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:02.262{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FC84A1EFD0804532B81F07079EBCC5,SHA256=0E348F41667C231A1FB07D741455B6CD93CE7E3A14D217460A353D7737955206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:02.032{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72C7F07B8C11F1A19234EE60DE4F8E4E,SHA256=2046EAF458D65381BA8BE716CA1B6CE65302E2E8AFD1865C29AA7649C4CC7150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:03.776{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AA48810F5D508AC71419DB17EFFC6D,SHA256=2B6746C092563039A88F053AFDEC79693214C791FEEED9D0529C5ED8EC44D326,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:01.260{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65283-false10.0.1.12-8000- 23542300x8000000000000000653980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:03.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F26797CE8D1A5B3FF035D3F187E896,SHA256=F34F9784D10A640654FB7EA55FF9505BE4C62F4614EECC69C01D6A4033C228B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:03.229{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A221C89BD9632540974FD481023AC7F0,SHA256=885FD6BEB0EC5B849DC760B69777A1F8B81966313F2ED47CC77A6EA74BF9C473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:03.229{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81ACEEAFDBE86FD7FC65B80AC5A46823,SHA256=B01779FDF2B0E409B23A9CDE8B455E2987FDDFC5765486CC7080899503B36A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:04.777{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB569E93AD60609997BD4FBA75623EF,SHA256=0E96B5BBAA97246D1E1CBC75E58B02C998A741E074D3EA5F374D79DDA4B48163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:04.344{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8118F18B70E85047DDF31F4F3DFADD,SHA256=BE67DFB5249A270959ADD0DFACC73421CF235E973C72947BB2A89DDD73CD92D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:01.819{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51711-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:04.145{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B1356A71084C080D6DCE9204254BAB,SHA256=81B040D2F9B56DCC9DED438461851CAB980280D9B100FD2FA462E55E10B3CE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:05.790{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EFB26913B85FBA9E1FF22A976CCD37,SHA256=6D2C3AF1230724CC74658B077B36B01C476C8735657C0A8CFAE4CD9ED430C48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:05.388{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FA0C05801DBF3A7D85BC9C225DB3D3,SHA256=B52FA771243384D3F4FD94081D79AAB0868AB2B7CC5F8A08DE39909D5EACED4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:06.791{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B21EEBB589AD45CA9E499936DF20A6,SHA256=FE8F5C674BB364CBE70BF50BA60C838409568FF6F907C09BF19441DE23C60917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.407{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689FA1CE52785773EA572A90A6BA9492,SHA256=4934FF539FB208262BA64610801D7E71443EAFAF332E7ADD9C7F83CE68787482,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000653996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.340{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000653995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.335{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324952C:\Windows\system32\lsass.exe{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.335{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324952C:\Windows\system32\lsass.exe{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.268{7B03F3B2-3953-609D-A64C-00000000BA01}19044796C:\Windows\system32\conhost.exe{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.265{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.263{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.263{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.263{7B03F3B2-3954-609D-A74C-00000000BA01}19923584C:\Windows\system32\cmd.exe{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.262{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe1.55.1Rsync for cloud storageRclonehttps://rclone.orgrclone.exeC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe ls mega:C:\Users\Administrator\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=22BBE1747933531E9C240E0DB86268E2,SHA256=53AE3567A34097F29011D752F1D3AFAB8F92BEB36A8D6A5DF5C1D4B12EDC1703,IMPHASH=2F1ADC02EEC2C8681D1612C9A43CED84{7B03F3B2-3954-609D-A74C-00000000BA01}1992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*" 10341000x8000000000000000653985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.262{7B03F3B2-D0CA-609A-1300-00000000BA01}922724C:\Windows\System32\svchost.exe{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:07.791{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E5C880A6D4CE638E8AD80B96E044E9,SHA256=557583EBE757E6F8582D033C521DC979815F1AD6B5116253389C09C6E739AF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:07.415{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1B55B449C3A7F2EAB2A1C7A11E0F84,SHA256=BEA23940AAB7B2CAD56FE845ACD8E606663F464AB27A8FDB153CF4555D60AA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:07.039{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDF11FC3C6C716D6DCCEA82DBA9E8071,SHA256=DF5AFA5C2989CFAEAFDC81788005C4360D016B98B5CE3C5B2B95537C39B4BF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:08.822{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=679693702A7E864EF96C35D2C6AA91D0,SHA256=C0F4384E45EB572B70BD26A98706A049F42B0C244F698FCF8CDCF91A57F9A831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:08.807{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E318321EE9DB00F94EBBEE75C752A1,SHA256=C68197825E6993D0CD4C822BA72D7480F5CE45BED74E4E375DE5360355B1D039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:08.431{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7579A4ED66CC1B95BFCF45A118DF4544,SHA256=01D0827525C744C7BDDEA85B25D229A8023D41140601F0C2D295ABAC00753864,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000654012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.574{7B03F3B2-6B7E-609D-8953-00000000BA01}7952win-dc-18.attackrange.local0fe80::b173:2d3f:cb87:36ed;::ffff:10.0.1.14;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe 354300x8000000000000000654011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.623{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c890:a4f4:8987:ffff-59939-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000654010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.623{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local59939-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000654009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.623{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-18.attackrange.local137netbios-ns 354300x8000000000000000654008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.623{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-18.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000654007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.608{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local58821- 354300x8000000000000000654006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.586{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local49177- 354300x8000000000000000654005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.578{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65286-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.577{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65286-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.575{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65285-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000654002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.575{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65285-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000654001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:06.267{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65284-false10.0.1.12-8000- 23542300x8000000000000000654000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:08.144{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E70FE988C83785D09FD20367314F29CF,SHA256=464357F4D29A3C7940506CADD11A1F1FDC1B056C9F8921759D3985E9778A7B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:09.822{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE6AEBE4862570B3AB88E859D66898E,SHA256=43782ABADD19D8A47561298B7B3EFBFD8D17D2439DC8823C5435D84C6433DE60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:09.703{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B252016182F74D6356FDDD49486D72B6,SHA256=53235A8F7AE631DAC2C5740FB97308BC6CEF0BFD51E881F80C5C7469CB215E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:09.444{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A850E81380F0F955CD256AAA146D150A,SHA256=0BB02B65AA82DE130A34A3B384B3C22D27DAE10C4AC7E1E46930AF841D268B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:07.745{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51712-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:09.150{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05CBE0B3545B32E62CDD675CA6CC27C3,SHA256=8004F62A47D1D04449527E713CD984B7B29AED9A7DDC457C618B9B0BD9D2F48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:09.150{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A221C89BD9632540974FD481023AC7F0,SHA256=885FD6BEB0EC5B849DC760B69777A1F8B81966313F2ED47CC77A6EA74BF9C473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:10.822{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2C5AEF80883EA787432E391219AE6C,SHA256=9B4536822597D62D6D703F18EF4F865B26B8B896217B3401A748D2C4F04D330B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000654017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:08.937{7B03F3B2-6B7E-609D-8953-00000000BA01}7952g.api.mega.co.nz0type: 5 lu.api.mega.co.nz;::ffff:66.203.125.14;::ffff:66.203.125.12;::ffff:66.203.125.13;::ffff:66.203.125.15;::ffff:66.203.125.11;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe 23542300x8000000000000000654016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:10.457{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FFBAC0B71BA6773212CA84ACA5137A,SHA256=CC8194247FE0EDAFCB1228F33A4FC7284D7A038F07B5C7319D82B820712C2082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:11.822{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8285AB1846666F39F25D8CFB0F4C026F,SHA256=DC29BFC8296AB923D020B07DF490041A24EFA792EA7A14D2B536F27728BA971F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000654020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:11.948{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe 23542300x8000000000000000654019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:11.469{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F56C502A95DD141C2DBAD09E6F8009,SHA256=568BB2F2DB44D94E4C9D00F5217D6860714966583A698B6DDF57F0D262AEA7C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:09.095{7B03F3B2-6B7E-609D-8953-00000000BA01}7952C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65287-false66.203.125.14-443https 23542300x8000000000000000555693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:12.838{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0A4F9C5E9D1A3847227FF0F5572DAA,SHA256=622A055128DC27927AD26EA673B070C152424E42FBD64D319B51523F4842672E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:12.487{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BFF7B6AE4AA047C5E45A34FEDDB786,SHA256=53754FD01B098B4CF6004CA053766D59CCE681FBA8EBA422D4BB144E855FC951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:11.377{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65288-false10.0.1.12-8000- 23542300x8000000000000000654021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:12.156{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7167C71E9A426A8048BD747637D6D95,SHA256=CCD90EB57EAB4C5F9C647327C5499C3F08A03A44F8296BCEE25E64E22EA49E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:13.853{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428ED478612080F4B9BA5BB8BAE82036,SHA256=1EAC0A854A602027B68DD2D8A69285D1FA26C90CEF7F47A6FE78166CCD233A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:13.499{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DC1605592A15C2F8FF67FAEB5C5D40,SHA256=8387F3B101AEAFD192CA60C29DFB85755DC44E5D8D0C7FF0946D1256095123E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:11.683{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-18.attackrange.local64203-false127.0.0.1win-dc-18.attackrange.local53domain 354300x8000000000000000654025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:11.455{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-18.attackrange.local53domainfalse127.0.0.1win-dc-18.attackrange.local64203- 354300x8000000000000000654024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:11.455{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:c1eb:8987:ffff-64203-true7f00:1:5:0:10:0:0:0-53domain 23542300x8000000000000000555698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:14.869{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782B096369D8BCABC46A3D43B046B992,SHA256=27857F21D28F389741CBC072FC6578EC6C608D4A49976275BE0CA05B8D0C8B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:14.672{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B3EEEF89326D65E0CF0DF67C805A577,SHA256=858CF744DC0FDB342BFD4B14D97DB8957187204BBA05F1CFFB43ED1A2BA3D2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:14.519{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505DC26839DEE5E32A5C2F4C965DECF8,SHA256=CDA18E3C6362DFB19DDCD5A8FD6013F3EB2AB81810782B75356B34B82BF60282,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:12.870{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51713-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:14.275{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34812A2085ACB73E11E35C5C2483A76F,SHA256=8A4D35F64035B517B144A82A042E75FA9DB3E83C085CDA54700E886FE0252D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:14.275{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05CBE0B3545B32E62CDD675CA6CC27C3,SHA256=8004F62A47D1D04449527E713CD984B7B29AED9A7DDC457C618B9B0BD9D2F48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:15.885{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372406540B6584687B7B6219424A115A,SHA256=05DA62781C1E84AC5A481E5B903C8164392B13E8A1174C34A9B11F3C64B78E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:15.551{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90EE0CC9AAC77D8902AE688AFC7C837,SHA256=9D5104FEC28F6624A527A7595C8315F4CB1E1E2D3542B13292A6F6DF43D1976D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:13.910{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local50826- 23542300x8000000000000000555700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:16.916{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F80A01475139BC730A0CB021E95130,SHA256=D16BA9F8167674F6CFCD6BF517D6F1F6EAD369E52385389001241AE75D479816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:16.567{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E947F4EC2DD22AB39835417A8682E49,SHA256=005AD081C7EEF8A999526C2F7597349D063F15D0F1DF977902627DA6792E9CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:16.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0524D1FADDFB18BB38C1BEFDD7F08DB,SHA256=664F4D8EE92CBAEEF381DCFD900C4447C12708E8A2923C70AC63A28F81673606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:17.916{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20761B9FE099F70FD6147622D1264FC1,SHA256=7A237D031830E6C7141865EBE577CFB92E614D5F9F85C64ACBF279E1F5DC6528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:17.579{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B2001D0C37E8E3129B0538D0E77930,SHA256=7E873D1650470E7017DAA8236477909FD81152A1080B8C6F7A62EC0345F0294F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:18.932{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDDDEC10592BACFDEC9DB3E26F9FBFB,SHA256=0D5C0A9E7408C45A36015EBAE8516C5A889D9AE63E6E1DBCE84E15E8DACCF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:18.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8A4067D557FE31979223AE27CAEC9F,SHA256=B03C05C79AD85AFA33527A709725C44319DD20702BF8F03F875CC7E705A1B6CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:17.334{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65289-false10.0.1.12-8000- 23542300x8000000000000000654035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:18.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32D01A8411CE71143B0CBE92E5E24723,SHA256=F6A2D71D54F80335CCF0AA985F427CA161F0D36797DBEBE8F39605A99DE34529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:19.947{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB3909BF933750F8C94B264DDCD085B,SHA256=B8E233C9FC70CA69B817455CBCACE5B15EFF5CF3588B83EF192F2FE5B2DBF140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.620{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935D5D21CCD4D7F943F35E975D75D3EC,SHA256=F1FE5061FCF104ACEAC7290ACC5C8057A0E7AD4EABAACF0989B6EBCFDB70F1B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.156{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.156{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.155{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.155{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.141{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D55507C5677EADC563A3CAE653FAF56,SHA256=9B35506DCD89D8F89B040A38D1FFB51D553FC66DEA3962F8BD65C24857C7004E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:20.978{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A332CA298C5FDC77A25E0AD1CEBCA276,SHA256=5FA15014DB97AA2FDE510667241D86536A3FBA95CC6A64AE91394DB0259ECA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:20.638{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9298722215CCCF774CF97278BA932163,SHA256=181BDE300D08D2DCDC8AC1C1BBDFC36C61DAB6AD420ED6824A23267E1C24651F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:18.855{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51714-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:20.213{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1BC17D1F94F48275B3860E4995207F1,SHA256=7FF2E2F0E6D9A9DFE8A05ED10E6DA7AB5DDF9F62E8AC36EA47504BD8ED7FE1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:20.213{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34812A2085ACB73E11E35C5C2483A76F,SHA256=8A4D35F64035B517B144A82A042E75FA9DB3E83C085CDA54700E886FE0252D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.336{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local58288- 354300x8000000000000000654044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:19.334{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65440- 23542300x8000000000000000654047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:21.654{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ADE0A5377A7153894C3E4A26F11B6F,SHA256=46869B312616AD17136F12CCE2BC9B00BA321A7B9BFEFD0C78C1CF05AC05769F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:22.682{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A218B213FD45CFF5AF6BA9A6FD5C900,SHA256=E8919D375D1FBBE93D3608278938CD9F530478F30A6597B682B0E6E23123DEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:22.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1872F96FE6F0C2391BB129FCF2EF040,SHA256=1B50CA0CBC7419E73B074CCE6B3D15F6C46B21AA5BA8284685A6E7F4D96CAD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:23.696{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1802711A7B5C7E4791D31E6AAAA78D5,SHA256=2AD5CA12F8527C54B701012EE833503FDFDF7A46A760CD9E3101CF8E3578F9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:23.088{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D87CA6C6040DF11327A107F67331E61,SHA256=B2FC93240EF80C44171BE6E01CEA4502764835CB0549E596EE77741C850A5103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:22.408{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65290-false10.0.1.12-8000- 23542300x8000000000000000654050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:23.204{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A25708A6027B98C91906B13C8A51A6F9,SHA256=1AA9F02E58F65A22F485952BB88BA6774E3AEF8D95CF0E4A361077B67463165F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:23.137{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 15241500x8000000000000000654059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:24.840{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone - Copy.exe:Zone.Identifier2021-05-13 18:10:24.481MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x8000000000000000654058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDownloads2021-05-13 18:10:24.839{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone - Copy.exe:Zone.Identifier2021-05-13 18:10:24.481 15241500x8000000000000000654057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:24.513{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone - Copy.exe2021-05-13 18:10:24.481MD5=22BBE1747933531E9C240E0DB86268E2,SHA256=53AE3567A34097F29011D752F1D3AFAB8F92BEB36A8D6A5DF5C1D4B12EDC1703,IMPHASH=2F1ADC02EEC2C8681D1612C9A43CED84- 23542300x8000000000000000654056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:24.718{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BA9205F51ECFA58E4598CC88A07CB3,SHA256=8C8E9CDC126A7796DE1EF5977869931456ABB160DD8281F1C91ABE16768B0973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:24.098{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2466C31B01817B3A519520926AF70AE,SHA256=C199E8C65F19CD3732C431AAB1E37C4183D4EE61A598DAE4B8AE6BB515328C18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000654055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDownloads2021-05-13 18:10:24.481{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone - Copy.exe2021-05-13 18:10:24.481 354300x8000000000000000654054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:23.354{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65291-false10.0.1.12-8089- 23542300x8000000000000000654053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:24.411{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BBA9185918FB33254235712D6D2E2A6,SHA256=FFB015ABE4174495AC4247674C674C552E97D03BEB9B668B45D2324E89910431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:25.817{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F3A2F6097C83032111DD58AB24B2B7,SHA256=B910E4960489C80F15C401F2E42CDE55EDB6198AA804576F191B375920CADBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:25.129{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56C47A404381BB085DB1D68D9E16825,SHA256=36801824F30EBCD28093850CD8712A1AE91F60530F3EE78884A0A5C9A253235D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:23.641{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65292-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000654060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:23.641{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65292-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000654063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:26.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9D846862DBCAAD739ACBEEE7EB205B,SHA256=1F91E86C73177F7562E1E293E58985BE3364D80890D904579CBE9CB0C43E8B63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:24.740{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51715-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000555727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B92-609D-994E-00000000BB01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B92-609D-994E-00000000BB01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B92-609D-994E-00000000BB01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.817{E1BD9FC2-6B92-609D-994E-00000000BB01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.270{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B4BC32F2FECD4E22334A6D0A7715B0,SHA256=1A8334719DB1DE5736B44FD97AED577D81C1CDD87A640D3D9DC5967335E611EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.270{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1BC17D1F94F48275B3860E4995207F1,SHA256=7FF2E2F0E6D9A9DFE8A05ED10E6DA7AB5DDF9F62E8AC36EA47504BD8ED7FE1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:26.129{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512BAB7CF81B3185C3D96F9CE4158DE2,SHA256=3940F0EFE29E5EA7F95F1A0CB033C1B09C6B0DB29591B197C97DCCEEE0579CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:27.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DCB0B6F797C641CE8870C119CA3DA1,SHA256=D3913B403C944A1DC8261591C9FD30AEC1545728BFB9D087BFB7E119C6E6EE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.879{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B4BC32F2FECD4E22334A6D0A7715B0,SHA256=1A8334719DB1DE5736B44FD97AED577D81C1CDD87A640D3D9DC5967335E611EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.801{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B93-609D-9A4E-00000000BB01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B93-609D-9A4E-00000000BB01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.488{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B93-609D-9A4E-00000000BB01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.489{E1BD9FC2-6B93-609D-9A4E-00000000BB01}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ABDE0A538DC90B874C5B899AEFF06B,SHA256=9CAC85BE86E2DE9D7E276B4AB955785F3E94D651FFD004951A63CECAA47DDCA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:28.892{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF237229C9A6934095F4DB5B8E70765,SHA256=38D6007A4B2415F77694A4470FF182219EE573CDCF916FB76544949EE805079E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.379{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763799EDC546EF9365E3D82A3031AE18,SHA256=55317D7FBB546B86987429CEF5E7E3CD1DEF3BE2B6EF27F35C0357B6CA643B47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.285{E1BD9FC2-6B94-609D-9B4E-00000000BB01}38643856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B94-609D-9B4E-00000000BB01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B94-609D-9B4E-00000000BB01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.160{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B94-609D-9B4E-00000000BB01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:28.161{E1BD9FC2-6B94-609D-9B4E-00000000BB01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:29.946{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E0F660ABD1C1F831B74DF55F57312A,SHA256=93836E8BDED15FDA8AB5948FA4AE7D0B6780A888498B4DBF5284C65A4D996335,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:27.427{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51716-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000555761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:29.301{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96908CF378BCD1C48EBBD1C1186377B,SHA256=DF3C8C65CDD95993C6861E81531BFA297A3378FCA78F716E58EC0A974F722ADB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:28.331{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65293-false10.0.1.12-8000- 23542300x8000000000000000654066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:29.096{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=157D3878C891BB1F6F561D879D00BBAB,SHA256=6E2BAD7A29E0E2FEE95CD498D89299DF185494AB0B62E5394221AAC90550A87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:29.238{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4888C23135BC1909395F4A481B1C8D4D,SHA256=BDF1049159C75E4E47FCF38E586309DE823DF8B42A236AB69390A3D300B652E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:30.959{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A497BC4F0C8117B8E034BBE0C77067E5,SHA256=133A9687F4F39D8970EF99715104EB1D2C96C2D4FA0CD47529B312111A11CE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:30.316{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBA485D977D6CDAD3C164A41396ED6D,SHA256=AD40FEDF0D8A50AC7B602F287985C48C3BE9692B7F7070371E3EEF5C70B0944E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:31.991{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C866AFD47639BF0EF23ED44A6E1DC29F,SHA256=6B15C478899797FC5EBC13998016A7F33F205AC0167B90D9791963378C6F4058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:31.332{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21633F1060C68BFD169E1C497AC773C2,SHA256=5B7DCE75FF401909B7A95E144D0EEFD6E179F8939D0687AC4C9B942D1AB41AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:32.363{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3E843E6CE875F0D69582B83BE940AC,SHA256=943EF6E4B0513B437E8F49057D0AFCB3A0A011588824DD98D12DE3D335E49AF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:32.686{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:32.686{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:32.683{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:32.682{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:32.682{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:32.682{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:32.082{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D383E7AB41C5D07DCD742598C8E87A,SHA256=F93B89898C584622C90700E49EFBB635EBB791AC26D89FB9F9B501DAB581CCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:33.363{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798660CFF1B24DF6EE35679BE8AE3337,SHA256=DAA689FCA652CF292BF6DD18162DCFB5FB84716B10D9C06861FC158DA77C01CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:33.003{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A0B53A359B3D1173910FC059A09212,SHA256=64AE829847FF2BA16E9063028F35DF17E3D8282FCB78979455D59953A1B5AE2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:30.693{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51717-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:34.379{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D074022E33B91152564058E0D1DEDB,SHA256=C3F20355613EC23E299BBB15DD7DBBD957EB436438F65ACC494A726D61EB32EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:33.473{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65294-false10.0.1.12-8000- 23542300x8000000000000000654080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:34.242{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98293EE4D8210CFC4B5EEE3099DC5400,SHA256=339815F159236C0629FF7D6720BD3CA7132DE9F620E82A9F20596FE7AF13EF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:34.240{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BF4BBF182350360949FE1C192F8E26B,SHA256=0CCE7ED0581E36341E3E8652A92AB0C28D4B68E5E1244B1B05C9591CF2C93824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:34.008{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E798ECCD123D11B0FD39CF802E9D36,SHA256=CD899387297AF7A4C6095D6F7DB947D77F710E41E6C0A5F6D0D7D8B3692B03EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:35.019{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94782C77AEA6D4171133236686464C4,SHA256=BD896C16F278D0AA28315350A087121132E27DF07668E074F146DC4D1EA3600D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.926{E1BD9FC2-6B9B-609D-9C4E-00000000BB01}6364084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B9B-609D-9C4E-00000000BB01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B9B-609D-9C4E-00000000BB01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.801{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B9B-609D-9C4E-00000000BB01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.802{E1BD9FC2-6B9B-609D-9C4E-00000000BB01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.379{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950C6A2A2F91485EBE3247C986EFC715,SHA256=13768CB5EA3EB56FA2C0A4073ADD783BB8F59D279A74644D60EA6E97032F0BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.817{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADC893D66E3FBD861F17CC02DB3050C,SHA256=A786407E4498372D2F22D0CC66311762F0AF4BE39B06FF6CFFC1AD4246BDE9B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.551{E1BD9FC2-6B9C-609D-9D4E-00000000BB01}35761616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B9C-609D-9D4E-00000000BB01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6B9C-609D-9D4E-00000000BB01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.426{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B9C-609D-9D4E-00000000BB01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.427{E1BD9FC2-6B9C-609D-9D4E-00000000BB01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:36.395{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA6FBBD87122E69A89DA1C9DEB4472C,SHA256=E72C7E64189E94D517E6F76B96D4EBDF992924A2D4FEB7576A9587322243C555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:36.032{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED780436C678514A9382E17384684263,SHA256=4C594F4DA31A693506264872037CE2EA0E4981297F569259E94DC9106677E824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B9D-609D-9F4E-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B9D-609D-9F4E-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B9D-609D-9F4E-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.678{E1BD9FC2-6B9D-609D-9F4E-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.676{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E20EF60F9151E571F813083840EA457,SHA256=8A958F2DE1FC78AC474496145CDC9DA26E8C5881361E2837CD35D07C38D263CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:37.045{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40AA5C591063D3CDB7E179877043F77,SHA256=9409E4B4EE0AE9BBAE6A664685E6B59631683DF70D12DB6E764A74575886E785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.176{E1BD9FC2-6B9D-609D-9E4E-00000000BB01}19761588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6B9D-609D-9E4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6B9D-609D-9E4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.051{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6B9D-609D-9E4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:37.052{E1BD9FC2-6B9D-609D-9E4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:38.676{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4A8809FCF42F978F4FA1564C7000F0,SHA256=FC571D56679A4134637D7F64B6745529C8B1BD3C7EB220ACD0B103DD00438FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:38.062{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164475888F8A8D044B2E10C9BFC19B16,SHA256=77D80657025ADFE49A7A14F22FC56C3C024EF1B93A0D379ED0009A41AC67DBFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:35.740{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51718-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:38.067{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54F38FF4E5CD589C87BAD22C8890531,SHA256=F8B4764BA3443E684B70D75F8097BCBCA561DB22657DD36922365FA108B9A275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:39.692{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F53B075ADBDB9A052288B523D65641,SHA256=C32BB4C982B82232DC984EA7BD4E7CA199FF02C9730E259B20CCEE09FCD7C2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:39.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98293EE4D8210CFC4B5EEE3099DC5400,SHA256=339815F159236C0629FF7D6720BD3CA7132DE9F620E82A9F20596FE7AF13EF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:39.073{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2F6A6A119287A7260A726A8A434278,SHA256=78A203C0116696B741CD72F8CD4510F5D58F0D3B3A46CB1101D401266539BC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:40.738{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B68F12E4B3EFB87699CDEDFA01F4D0,SHA256=7B059A4D983915A41AB9284D42B61FF942430367C4EA3604A550E35A10DF71D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:39.482{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65295-false10.0.1.12-8000- 10341000x8000000000000000654090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:40.695{7B03F3B2-D0CA-609A-1300-00000000BA01}922724C:\Windows\System32\svchost.exe{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:40.252{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB50652F07A4CFC9B58A794EFCC56872,SHA256=66F1C9454248ECE64A7987162892831FF61C941D2E83EA877F9A287DC8260A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:40.106{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8B63F6AB1F7911C9C159D1F69533B8,SHA256=E66385DAE89A3CC04F5695F2FEAEBE1A7CE479A3756672F4A4AB57E0433E40C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:41.816{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC0DC16CCF3B5117B2B9D977D0B58C5,SHA256=72A54FD6E86CF56AE43AE7063146391D3F52CD2CD36BCED28B02E5D69F6A0590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.701{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F3E17F7F8DD79FC35221986C5ADC586,SHA256=EEBF00EEC128093DCCEDEDCEEABC222FB553EC93A3BA62423F6B35B9B236867A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000654103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.160{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000654102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.157{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324648C:\Windows\system32\lsass.exe{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.157{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324648C:\Windows\system32\lsass.exe{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.115{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904DDFD6F906A5BD42A1DE5EC47F374D,SHA256=EFC6A17BC991E5EEA3C2C5299A7F633A922D212914747897FEB617B967EE52C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.089{7B03F3B2-3953-609D-A64C-00000000BA01}19044796C:\Windows\system32\conhost.exe{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.087{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.087{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.087{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.086{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.086{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.086{7B03F3B2-3954-609D-A74C-00000000BA01}19923584C:\Windows\system32\cmd.exe{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:40.696{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe1.55.1Rsync for cloud storageRclonehttps://rclone.orgrclone.exeC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe ls mega:C:\Users\Administrator\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=22BBE1747933531E9C240E0DB86268E2,SHA256=53AE3567A34097F29011D752F1D3AFAB8F92BEB36A8D6A5DF5C1D4B12EDC1703,IMPHASH=2F1ADC02EEC2C8681D1612C9A43CED84{7B03F3B2-3954-609D-A74C-00000000BA01}1992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*" 23542300x8000000000000000555836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:42.832{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FD3C6038BA38EE92A658CF78364674,SHA256=F71A3282D635664040395DF42D96DDCF175F2FE2A39C5807B7629032D9A0C01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:42.931{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58534A5FAD055333B0D567C59448ED32,SHA256=BD03ACD1522DC1839040A3AA4BBC65196C3861F9D66CF9D3FC370B056A7F3C62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.400{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65297-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.400{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65297-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.397{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65296-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000654106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.397{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65296-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000654105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:42.124{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7BDA27EDADB995BA5BE021B0D793F,SHA256=F1BD1F86439E910EC1A2D9053090A67D5CF89C1771D7FC3FB48253B51CF2D543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:42.395{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EEC5AF3053DC592DFCD3AD6C1DA3280,SHA256=E1BF84C514C057CCD41034B387F9CC860A6920C40A58F3E224AD3DB4FEF5BFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:43.878{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E249F975217AAD8D7A1F39248552CAD3,SHA256=5ABC6A3C29D3C495D5751482AD437F9FBCFE7E6C260D0AFE76F83AF05DE6B770,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000654112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:41.398{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244win-dc-18.attackrange.local0fe80::b173:2d3f:cb87:36ed;::ffff:10.0.1.14;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe 23542300x8000000000000000654111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:43.154{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FA54ABC02070A6924216E265E6A522,SHA256=DB2A31A2BBE612A7BC9D950F542306A4FE49C7F2D0EE288FD22B9AC46CB769AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:40.834{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51719-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:44.925{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCFF19E92EF3B3C023BB38908A48D00,SHA256=3F6C4A6DE3D384AF7056ADE1E744D7A7DF7FE240C7373F9F2D248D1E3A5D4EE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:43.736{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local52389- 23542300x8000000000000000654115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:44.548{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa2cfcf4.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:44.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D865F6340ED13C128324D0F7F91A9786,SHA256=A07EACB75806B8FE2ABF1E0A45D4DCC6CC06C9A258AB6E21376458B540FD9EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:44.157{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=206F0911AE61C25F712EF7BBF1B63870,SHA256=8BC61C52A7D8E5C6D6139F2FCBB4FC03A9AAE16CCCBE1CDDA4A46B82A7F4BEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:45.941{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E010EA58B27D770367069F54A92060,SHA256=9BDDEB6D74922706DC8AFBB3AA5222A2B490B068AB996BF175BC7982368A916F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:43.896{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65298-false66.203.125.11bt1.api.mega.co.nz443https 22542200x8000000000000000654118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:43.740{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244g.api.mega.co.nz0type: 5 lu.api.mega.co.nz;::ffff:66.203.125.11;::ffff:66.203.125.13;::ffff:66.203.125.14;::ffff:66.203.125.15;::ffff:66.203.125.12;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe 23542300x8000000000000000654117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:45.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5EDBB2A3FC62010AB04406C69D1B5C,SHA256=65F0D7F1E52DE10A87E1794C2909CDF48B7AB00404796AB916DC8B446E3394AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:46.956{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0778C90E5922744B08D532C7C516BB9,SHA256=9A611EE5564D35A1A088EA95745ECCF8DBAA7D78C1AC39FC3B95786841E67FCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:45.411{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65299-false10.0.1.12-8000- 534500x8000000000000000654130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.444{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe 10341000x8000000000000000654129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.337{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BA6-609D-8B53-00000000BA01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.335{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.335{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.335{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.335{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.335{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6BA6-609D-8B53-00000000BA01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.334{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BA6-609D-8B53-00000000BA01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.334{7B03F3B2-6BA6-609D-8B53-00000000BA01}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.226{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6293053923606600E293FA637B14457,SHA256=DD2FEA12C5AFB50D1637CC4F049B6FE97D63AB5B881DD149EBE8DD73544A94B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.189{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AE09E048A5FFF358C2AFDB784723F8,SHA256=D382C4E7C0ADCDE02A58CEF8D8E4974E083E3556F222DF5D2FBDE376FFCF92FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.671{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BA7-609D-8D53-00000000BA01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.668{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.668{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.668{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.668{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.667{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6BA7-609D-8D53-00000000BA01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.667{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BA7-609D-8D53-00000000BA01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.667{7B03F3B2-6BA7-609D-8D53-00000000BA01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.340{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4837FB6FCC6F7243B6EBF6A43AE09D,SHA256=06915863E4FA3E0C288CF8BEAEB5B8DAB59A56810E1A1DDFBB2BCB04DCB1C483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D34B930A11905CE63632817B7C8065,SHA256=67F534D988E035334FBF91461C14B4F0E8F2FA124EE9AE8C257F32F2234029E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.159{7B03F3B2-6BA7-609D-8C53-00000000BA01}32526372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.006{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BA7-609D-8C53-00000000BA01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.004{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.004{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.004{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.004{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.004{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6BA7-609D-8C53-00000000BA01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.003{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BA7-609D-8C53-00000000BA01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:47.003{7B03F3B2-6BA7-609D-8C53-00000000BA01}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.992{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1E043B665DD7CA96DC3960B5C0546E5A,SHA256=480106CC2B977E464F3C66D3B3019B00DA4D3CB8E33C52DF38AF85416DCF99CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.991{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CF2886EA02D4C572C35694D43B40B8F9,SHA256=C3445A6110B5E70BB38C66E2DC8E41CAD0DB42923F54BA1E55572CBAE2B58073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.990{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B11D9D87734F3B6BA659F1DA8EBC267C,SHA256=C9F20A3493B4D75E33A6193FF10D981EF35BD9949CF98C68FFC3C35EFCEF3D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.989{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1F3B1FD8436D1CAD47B1435E2B88CA12,SHA256=424D80CEFAA84FA42A6C1BACF75B495EDD04868D66CFBD81034D01B442F11944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.987{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=DF56706DA3493EA7A22D57407AC51A12,SHA256=9712089062B4B06262CA9DBF4D333815DDEEFB695480E42C12ABCB581874FD21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.679{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7D1B4F09EE7E508F5FF7C3F0ABC6A97,SHA256=44D3A79A492153E3CAA5F473EA3A2F465ED6447B5B221E84F1C367347B28346E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.655{7B03F3B2-6BA8-609D-8E53-00000000BA01}75807100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.478{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BA8-609D-8E53-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.476{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6BA8-609D-8E53-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.475{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BA8-609D-8E53-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.475{7B03F3B2-6BA8-609D-8E53-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000654152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:46.687{7B03F3B2-6BA0-609D-8A53-00000000BA01}7244w.api.mega.co.nz0::ffff:66.203.125.32;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe 23542300x8000000000000000654151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:48.231{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E4461C2FD3B9AB163796D87761F7CF,SHA256=17C58DC135EC9B0C81B6598AA3CB6221682EFA5550F8B74B9B61CC6384CEEE2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:46.739{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51720-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:48.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=249A48AB25420BA6E1A07601D08D93A8,SHA256=9341E1A25FD02B95DBD0F09C98B94C5F6439635EF1E5E4761AB94B1CFFA5F92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:48.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=737C62B9DF2379CE0763884F28207B06,SHA256=9CF153C286DF16F7D21BA01E495A9044A28237BC4896B672E79BD1376C156C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:48.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37003D8620E362558608C24FBC7BF93E,SHA256=CF2711AA2F81775F728E63A8EBCFE8FF652633C964311ABA5489255C02C104EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.446{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD195EDC02AFE47C9B784BAD2D61C0E7,SHA256=700239F29D90C3B0B103A356BFB3539DD0F9B93C6390AB33E888F3199726BC52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.324{7B03F3B2-6BA9-609D-8F53-00000000BA01}25407788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:49.065{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BC3C8D19EFE8956D04471BE7C62781,SHA256=D3A27C83B5A6128FC88C8F8F02F8F5E5BE043A559089800D2EB7C1FCED47AE10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.161{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BA9-609D-8F53-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.158{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.158{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.158{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.158{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.158{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6BA9-609D-8F53-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.157{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BA9-609D-8F53-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.157{7B03F3B2-6BA9-609D-8F53-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.009{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B18C473FD27414E9EC4B07E6B20B3458,SHA256=1243C4438A73455B22D7666673424E38C8E6E036D79DDE0CD37B770232D9B399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.008{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=94E4FD62E46899DDBB7F2C403F408263,SHA256=356199CCC1B866E141B486A51AA2E1FC413240278CEDD49D7B875A8A23EE765D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:49.006{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=48E97BE15004F8525D4B4771F7409DBA,SHA256=6732C572048B1A6646F75657AB41CEAF77EFEFF3FCB26F45F16F7F8BF60128EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:50.338{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8939584F4D881A3AB79DE9A0C599B25E,SHA256=DCE631426DF1E3F71A84D1942422CC8F1AC916B2C8EE16E500D71127E2EF7CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:50.081{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C810D5F4708480AA5F0A806426D7BE21,SHA256=2BE91D2670F7C2C13A0DF9B5CB1983A9F61C024ECB6BBD93112F33B3902DAF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:50.179{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C1F24964ECE4C6F1F72AE75F47E67A7,SHA256=AA03460B6219774E7A0090E8669D4B072F228F18F848B618EC8BC7DEE05D447B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:50.422{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65301-false10.0.1.12-8000- 23542300x8000000000000000654193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.357{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97F6080C5E73E6000156D066CF7B169,SHA256=A689658FB45EBFC297B78FBFDDD000CE370E4D096EF313575A51B9C820C79667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:51.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B887E1D29B621FF8CB6F73189F389679,SHA256=549C4DE6D27C34A979FE43E1FB041A95325DB511E84193CEAF7121478CD49818,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.335{7B03F3B2-6BAB-609D-9053-00000000BA01}79364584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F4BCCA800E471D8CC95B6DFAA6E2A5B,SHA256=271F1F60FDE1766CDCF0E91C050EBC539E58EED89CA40BDCC9DE3E9DC57B95F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.120{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BAB-609D-9053-00000000BA01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.116{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.116{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.116{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.116{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.116{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6BAB-609D-9053-00000000BA01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.115{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BAB-609D-9053-00000000BA01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:51.115{7B03F3B2-6BAB-609D-9053-00000000BA01}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.978{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A93F2460E3D3F95205B13555E321217,SHA256=001BE6C21EC8A66ECAC0B2E0A2E4050039AE6040F6C4D67A049816128B2DDA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.400{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2405316172F6D5B25666A8E56206230,SHA256=A2A0D25747E47A2C95621FFC65522DEE038A7F14E5066E1440B92B62078BA067,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000555859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000555858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a25816d) 13241300x8000000000000000555857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0xed68aec2) 13241300x8000000000000000555856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74823-0x4f2d16c2) 13241300x8000000000000000555855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482b-0xb0f17ec2) 13241300x8000000000000000555854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000555853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a25816d) 13241300x8000000000000000555852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0xed68aec2) 13241300x8000000000000000555851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74823-0x4f2d16c2) 13241300x8000000000000000555850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:10:52.769{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482b-0xb0f17ec2) 23542300x8000000000000000555849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:52.112{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EDF1906BF8380A3CEF0A0C624DA0D3D,SHA256=134CD942BF63A42C79A21CFA3ADCF7B8556CCF579CB7365FBEC8563194CE3BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.355{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77BBC9A73297450719730CD2B7D127D1,SHA256=B8D33A0EB8B5CA96D69A7901717A1F9AEF82FB6E7A97B94C0EAD1BC64B870599,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.019{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BAC-609D-9153-00000000BA01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.017{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.017{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.017{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.017{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.017{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6BAC-609D-9153-00000000BA01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.016{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BAC-609D-9153-00000000BA01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:52.016{7B03F3B2-6BAC-609D-9153-00000000BA01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000555862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:51.754{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51721-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:53.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A230F6F6B098394D053E7ADFC982FC,SHA256=3A9482C830D989A8ECCD8D5ADA853E01DA3D9E318CC720A8E8F8DE61017C3762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:53.404{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A2516709D8ABE13116F0A89399B89E,SHA256=E59525823A64B4E3DF8FA04FE4CC7552D737F8F69DDCAB84E12AA8B5D0B586C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:53.128{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=249A48AB25420BA6E1A07601D08D93A8,SHA256=9341E1A25FD02B95DBD0F09C98B94C5F6439635EF1E5E4761AB94B1CFFA5F92B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000555863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:54.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F790912E90250BBF538D11317B73404E,SHA256=873E485D8E24859F47594DAD8A2926B884B92C026532E3D188EC80F9C7468D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.423{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E22F8584068484531493AA8F23A143,SHA256=EBEE9DB14F51FFB8935BE14158BB64A14AFB0A9EFF6379CABB41EE5900211964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.027{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A6DC9F2EC3750E25C51019A54FF809B2,SHA256=06C6A1DC229F522F3CE19C961C0FBF9DEE037F3CA194F99E28F73E3AF7C63C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.025{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F752A410552E1571E929388F422637C0,SHA256=0ED580B6474708C49C3CA5E069E7C09A065C58AB36EB6EF0A313C89A6C4E90D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.023{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B042BFB09249152F9C962EA0D4B72BDA,SHA256=4431A9B46960E023A13EA86E5139716B1D8445495A1A891D3706482A10FDD116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.021{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5BE788919AE4F68CE56CFC2ECEDC615F,SHA256=18748334CE5B315BF15BE864B9D4DC5DD95CC1D2E126C58D9ED9DCDEEB0F67F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.015{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9A4E1D0C45CDF4A7F4D35B59A7FD91AE,SHA256=B7ECD9DF6FAA003E83EDFEC0A57D0A26A94F00B282989EC202F4840F23D786EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.012{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=74638F50E032C56E8E58688F3C88767C,SHA256=FDA4009101A77D040706A30E15367603BA5AC5A348AD6AD9171C304104B02319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.011{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5119F3D36545E86FC277B7C5D83E3469,SHA256=0FB2D6588E2B276A2F85076050EF0E0B1F3C82E7A69D4D9BE7A3717C336C357F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:54.008{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=11598BAA8ACC00BEDDBD7ADDFBA0B1CE,SHA256=9E708109E591D4A96912372329371E9C402C0164D568F4658239B9237BF4A946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:55.471{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD37A31F54085A6C3612851FF13ACC5,SHA256=2E64FF734C37C074FED61B5BFCCCF553DAFC87EADA99FC8A9BAE54A9FA74B62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:55.237{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260693B82DA82D4BDBCCC43FC778FD1F,SHA256=6B98CBD6F7B5FDC30BC8081898628D237437520E7152B1104FAFA411348D04CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:56.487{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F65784030B24A49989B788F0E48725,SHA256=DF97725A77A0E1C4AB2FD406146B723938901A349FE22AF7C02E2324AD611574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:56.253{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02817DA38C772B6DA92B94A6E9582C1C,SHA256=3B5AFD788D81FE512A175396C8075E6E4CC108E4A9EC84AC8E25FF2C97AFB2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:57.497{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FBCEADD9F5E6ACB76A8B58708B8E45,SHA256=373C08B083367953215F0E0B78758D398EAE7E52B0CFF0FE87717913684A36D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:57.269{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87913C20FBD34367CDA0C22FB58C555,SHA256=5461B6C73DA9B6446229B621F69C8710144BE9B02E4576588E619A0045FECA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:57.067{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04336091EBD85B63FCCAE1C0321583D3,SHA256=AFB23DFB2C24DC7EAA3CE6C8E8E3A000EF0D147FC43C4D41C060C429044D1D0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:56.832{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51722-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:58.300{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B161946A5FA2D16443279449919AAAC,SHA256=7255E3AB493C1B306293CF98B0363CE12C7D4A876985E4D1162590DD3449C71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:58.502{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D842B13A6B9D732EB873B255A582F1,SHA256=004918B232E9D1D952FF75B2EB14A159B017290F2F9F78C116833C11CE32E7DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:56.301{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65302-false10.0.1.12-8000- 23542300x8000000000000000555871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:58.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64D63891E7ABA0F033154F027D499BF3,SHA256=71D0DAA621B8332858ADFDC9E250E2A41D533804199008026E0C5DAB604EC976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:58.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=824986DB805896CB68C1CE796E2F3A7C,SHA256=DB2AEFA4F409B6C7860F1B1BE71886C9F78415CDA3D8BA24D28E8DA60C1B375D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.514{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01DB4CCED65FD93C2ED661B8B72646A,SHA256=88DFA14D3C4495663138B47AC14664FFDA2B8EF35045E33D67310680AA94C225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:10:59.300{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9760CF8EA4E3A8E8C4177E438A197AAF,SHA256=90D914C4930256754CD52A2DA8224FEB6A1CB758F4ADBCDAC9F7106CAC94D2CA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000654240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000654239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a2d3663) 13241300x8000000000000000654238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0xf161a1dd) 13241300x8000000000000000654237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74823-0x532609dd) 13241300x8000000000000000654236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482b-0xb4ea71dd) 13241300x8000000000000000654235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000654234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a2d3663) 13241300x8000000000000000654233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0xf161a1dd) 13241300x8000000000000000654232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74823-0x532609dd) 13241300x8000000000000000654231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:10:59.259{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482b-0xb4ea71dd) 23542300x8000000000000000654230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.210{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B1F3436A70BBA6EEEFCC098B0E538C2,SHA256=7685A64BB64F13DE732E979EDF5298CD01F187D6E302635F653101A32F97EA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.053{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D937DEF7593C6DDF663B9E31D98BA54E,SHA256=9D77027456E39931378F44C0BD8B4B54A2E1C44E89CC3852C3DE1304725AAA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.051{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9EBA78FBA74B9FF8F7091853E94F9EF3,SHA256=038DEB58A33F8CC3344AAD73248A0E72CB108DBFE9922556610668F5F08C6F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.050{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F0E789C86BEFD8D154634D3C118D5EF6,SHA256=E584A53ABAD64CC73400E1E34494C95A7FEEAF1DEC518EC4FF45F644AA052A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.049{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BDC6E64FC923816B5A7D7C082CD843E9,SHA256=86AEC149CF31C8EB510A9DF7CD709C1DE8766874975B3B4CE09AB3C49FF1EA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.047{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4667A7FA111B478B09DCB1EA7711DD01,SHA256=4550E7920B40349836A78C03217410E00D247D37710AD828064B53F4CF82D320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.046{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=39139CAA14435CEA6FE7ABF4EA89FF77,SHA256=7284831CC844D096C448C413BABAE35DA3AC97F8C0FF3B84BC5E4E4FFDD97141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.045{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0D72D0C676882734F605645A0A51C9F6,SHA256=E2349FF15744CE42C581D3E643BDE4B96A6F51B4DAE69F840B8697427F328124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:10:59.043{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=523AF3726D0E09DB09B4E6F56E47D42D,SHA256=A6D64B9B3D5C055E8CEE907EC2C7FA1FC4D77D3EBBA0D348992EF5CE68950397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:00.522{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB58E3429CACCA0DC50170447C17EEC9,SHA256=A54A456FFBAA1FBB043E091E69AA009C6BA56028E016909AEC29D4E54E3EC5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:00.347{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88804DF37613AD22AFD162FE3A9EABAB,SHA256=F25C1C99BC96AA9867C0F4F14C077EF2E119AE2022302601D5CBD84C32811E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:01.547{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696E6390C18682C863BD44C1DBC494C8,SHA256=C316FCECB298195D524A7F622DBD2357D787F6E54413C54E3AD12DCBF831AD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:01.472{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DF10D6B9D19B6350A09D6CB96955A0,SHA256=5BC2907C308323A9940B96BAACC99525113F6358DB7D6D76AC6348E94095F252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:02.503{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9716A652A78990C929770E14DBEC36,SHA256=F80C438E723333772F1AC82A9297A086E72D08C9311DCA31DE55E85A5379E29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:02.562{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DDB38145F580380ECFA9FCB5022D3F,SHA256=E008711F1475C8CBD8ACEE0C708FC764871446BF3D8A81B46261727740294D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:02.140{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BFBBE70AAD17BE097D6C668D0CEF341,SHA256=571FFBA7233092A7C06DEE34B3E3C25A0AAEB0D6B5411DE536F155BB6D047CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:03.506{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985B8470F133E5430AEA4C4B89981C9F,SHA256=D2A19373AA50ABC9937A5B9B11153632886B82E071D947DDC13C92E994B308DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:03.590{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A7B1277964413EE55B92F0CDF8C740,SHA256=924487F57B75B954AC87CDFC2D39505D733F7CCD0B4FC117E5721FCD77D7ED94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:01.368{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65303-false10.0.1.12-8000- 354300x8000000000000000555882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:02.707{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51723-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:04.521{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73EFAB35F4691D07850DDD7255450238,SHA256=2FE669DB1BD4C601E4FE0D3585C9C444AEF08BCE9F83A5D8A4D7D58A95E16FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:04.597{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C156436BC5D5C34937B5154C60CF326,SHA256=AA8FE89F24D424FE1AEF7E6A8410C43BDA54A3DB3E318FD1914B134A7B879744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:04.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEA66C41141AB0A5FA93ED69BE0D0DE7,SHA256=30F60016AB994974C3E2BAFBC02074AAAB13EAD2EAF2E3B865C296FF4CEDF86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:04.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64D63891E7ABA0F033154F027D499BF3,SHA256=71D0DAA621B8332858ADFDC9E250E2A41D533804199008026E0C5DAB604EC976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:04.169{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7FBE7E59306B2DAB2900B3CAE1A8BB9,SHA256=6469DB3162EB56BB7981646DF57FFEB3ED4498E1A870DD7935D970F1585922AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:05.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEAA9D423A8FA6AF613D70F55BD968B,SHA256=EA49B4E5A3D2E1336AECF719B5608370A257A44D8A69E4A708A7AAF1E71091F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:05.611{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2B00DDB7E5F99A2B79885FFB8A6A48,SHA256=A64DA944E463628709CE9F2995AD5778AF58D397EB3CD90A4F34D2FFAD4204E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:06.618{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89AF49D133D81C7A3CB8DE757B9B0DF,SHA256=4FFB7EC67468F074052DC9B09EDDA4477D1401F142BAB552531F6E7476E5411B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:06.538{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F330827EA1A4DC26D573A7CAD3F1614,SHA256=A80FC3D98007563E97D43527B3A861D58559737BBBC79093458B25826A01DBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:07.598{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4832BAD8C77F5B5097FD9F02335801,SHA256=8D5A1E2E17C0787DB743C74DBE52CDB3CB2A1631A3218C106A99891A9624534C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000654257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:11:07.800{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74823-0x58962708) 23542300x8000000000000000654256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:07.644{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5141C122A24ECA187B3D50FDFC1AFA17,SHA256=1BC61CCA663C1057F1AAF4D70110D5C156DBF30A8095CB5507D9A0B8DE55A6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:07.259{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD090031B6C4E7BA865DBD8A6D42D839,SHA256=2E0C2AC2983E49FA6EAFED9FDA5CBE9119B70BBD41B68E160A7E459B0095AE95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:07.243{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:07.242{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:07.242{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:08.659{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E058532A340E929438BA7A4B3F1AAF40,SHA256=F6070FFFD3C6158955EBA67D885C899F19A807B64A4CB8CA54BCC01FE1FB0CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:08.834{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=15F87DFC8D889914B3B59699A4E22FA4,SHA256=01D46CB083C33375DE283A63F33662DA8EBD95021F1BC862108B1E718F285DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:08.615{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C741B481C343DB28E7C1A78D6080077,SHA256=573A68FD680587026E3EA6E5B7F080F5B699B6455F832429E773ECACF51E1BF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:06.486{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65304-false10.0.1.12-8000- 23542300x8000000000000000654260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:09.674{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD66C0E1363DA6D9F3AF4A4015D6D726,SHA256=87092A51893D3D799CA5591B7BAA3FE039B8C333B8D581D79DDF26F4F8BF52B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:07.821{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51724-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:09.646{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F64EAE2F26218C98966D082EF68F5D1,SHA256=CA4CBC71C95EEE956CDA3B010C3879846D42A38AF1E884A76AE90594A54F4FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:09.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF83DF9AA54E32CFEAA53C24342D5426,SHA256=991512A1DB7920AD5AD4C818FC827C285D83E81F20B304862A69DFD7F19E92B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:09.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEA66C41141AB0A5FA93ED69BE0D0DE7,SHA256=30F60016AB994974C3E2BAFBC02074AAAB13EAD2EAF2E3B865C296FF4CEDF86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:10.698{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222D423EBDAC78307A75F2B8743986AA,SHA256=AD6B1CA52107CF8EF44532722F5C484D278AF4FD61834CA405BFF9521E0D156E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:10.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98095016D6A0E118A437AB3CE4A85177,SHA256=A1F104C64A3AD67B94FDF1A7887809AD06E2549F5963A5EA9AA0683E95A3CEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:11.704{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A48C70459100874BE61DB3AD25DC14C,SHA256=10F521A298C2E4817F076C5A028CAD3060C41510C2BC674B8F0FC0D709B4DAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:11.709{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849EFC1043947857F5B5CED3FBC5E9BC,SHA256=7D3A7E19D5BD74754B6A729C201089457041242696013D68244526FE6B4897AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:12.724{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208745269EB779584434EE66D5120700,SHA256=417326282487F963CF57A1811E79EB2C5658C29CC42BF8CA4979EAA4C98707ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:12.718{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB90D1F6B76B2DA150C6787DCEB5C7BA,SHA256=EDDFFDFFAAC9A1ACE6C02C06A059ADDFA4FDC23C613281DFAADA688313FD7BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:13.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988DC6CDDF5F431732D76756AEA5BBCD,SHA256=77AA4BE367F17229131E3FDFD760CBF75284BDCF113D9E661CF775D0557EE8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:13.787{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BDD4424893531776B1C91F2E09E722,SHA256=FCC296FF9788104C952E448671513AE3EF21293B9705C27BDC487EE5A3726F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:13.090{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B58A313219C39A80F2B2CCBC6A136FF,SHA256=ADD036FC7972592C22C8192B3775300A3B675D1F6FC3D45205B4FC089123A275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:13.089{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57AC3DDE7F6FF0DCA1A618E27887524A,SHA256=7F3B6B78EC464573F3626EAFFD9575AA14B54A9F566EC94ACC1F2B5942E79FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:14.803{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C493ED4BA2C66D64B1A14EB8CD46C31,SHA256=912AE8B87E5B06E2F1AF41CB7074B6553664BA2460BDB49BE16E8097967F5FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:14.751{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E0E54766501F26259A900FCD1DDB31,SHA256=FA61185E6D50B0BED13C14CDDA03CA23DF528B43B9D7A1CD2644228DD20E607E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:12.322{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65305-false10.0.1.12-8000- 23542300x8000000000000000654269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:15.767{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A5FCFDBA0DE3DA69E2CA8F090723B2,SHA256=6B6FC66D8B8F61E49385A73E821A9DD2CC1D6B979064C05CE346952648E8D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:15.818{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C90FCAF81B558CD6755B0D80CAB98DE,SHA256=79FDB7BDB10F0FDEE68A059EA2A82028B0914A8AA3E3322FA9E9B725168EE5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:15.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=775E36ABDBD9A93CE766F9D1E042FF95,SHA256=5A6B02A5FE59A7A32270CEDEF77C93666004FE433D90E77C71732A901B5D7791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:15.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF83DF9AA54E32CFEAA53C24342D5426,SHA256=991512A1DB7920AD5AD4C818FC827C285D83E81F20B304862A69DFD7F19E92B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:16.783{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3A553132D5E47B7CD5C349B29967C1,SHA256=E50AFA2A61F7A308D139BA5AA13ADF9B8EAC44451BB5AFBBBAD7B08EF8BAD02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:16.896{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEBEA61A9B9748AC7796B7FFD7E48CB,SHA256=80BC6FA69DE87487FC8EDC7EE54E68910A268B22793C132D3D55C6F8188320DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:13.695{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51725-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000654271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:17.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB484C028C19510CA5C976AF80D0BBD4,SHA256=26EBE83BCE4785280C49A410E1DE43AD7DCA30885381D3A0BE267234EF90035D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:17.928{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A371F4287ECA90CF7F844F8D52BDF633,SHA256=EE1E5DA34A0EAB75D04843E9EAF39924B847C4E8FEE700643B4AFF0E28CEC862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:18.943{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E39367EFA2721B3A1FC3B817DD7C13,SHA256=44807B7AF3750B33A96F31E6CCA08CEA696C7206DFFCB3EF9DD3B7A03E6AE9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:18.188{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9852BBED0E23BB6271B242FAD3FECC,SHA256=D3D188CD9868EA5F2FA55344CAB340AD8F7B2F9EE596639E198DB9A0CA9619F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:18.187{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B58A313219C39A80F2B2CCBC6A136FF,SHA256=ADD036FC7972592C22C8192B3775300A3B675D1F6FC3D45205B4FC089123A275,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:17.396{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65306-false10.0.1.12-8000- 23542300x8000000000000000654274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:19.067{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC55B577220E4E3C069D18F3AA4A6B28,SHA256=F9D12D94E2496DA5BB234970EA01B070B2C9566CC5411C1651DEF0E8DF373337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:20.086{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE59D7674F96C89819FA66B817B76EF5,SHA256=7138F628581438AA00805E74E95102BFA19A63CD13936A74E31221704BB0F4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:20.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B047CEF3CD8733C2A7CA5D304B1A10D6,SHA256=F2A24553272FF8A5458F5F48E4FFC4644075CA5AC80B41168D04E5C7BA1AF61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:20.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=775E36ABDBD9A93CE766F9D1E042FF95,SHA256=5A6B02A5FE59A7A32270CEDEF77C93666004FE433D90E77C71732A901B5D7791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:20.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BEDE25580317C836A7FC49AD77C083,SHA256=2AA2993AE27ABBA8FCA6CBBF293DE5C2AE05A16904D32ECEB2EB7A0F062188F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:18.804{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51726-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:21.021{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405A3DAA6B7F10925867E850B06D07BA,SHA256=274134E2112F52B427CDFD4C661F8F6088980EB9CE4E047E36E45C541ECD5BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:21.106{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07048B793876838A12D93093A4CB5E3F,SHA256=AA60192B5825383A7C45BC232CB8AD74F0EA0F135756409284F1A0632FD87760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:22.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C592079F4F00CF259417F485C9DA49,SHA256=023EB5EC31364202E132D3330D5DDD2FDBF1288A7FD63634954460D0E8ABC3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:22.115{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65FCB794F9E7062EE1EC958688916AE,SHA256=AFAC4DDE04861CFCE42D19D12E2C720E62025253F40856A4780EBAC19CF217C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:23.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7145D011F9A0526BEE970BB7D30864C,SHA256=97E4FA3FD713E698C9AC5E19EE2A51B1B86424E7BDB5E341EF44555AE60747F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:23.159{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:23.119{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0CD924CE27F629CCE2B7AB623BE5CC,SHA256=7AFFA688E0132BDE59BE600836907D6DBE8946C81F7FC0F97EDC34759FFAA49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:24.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEB1849223A0875A37582D08BF5D616,SHA256=B2BC5AB77E1AA2A2E5E29EA45195362DA9B639C4BD7B0F17447B033F07C24263,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:23.328{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65307-false10.0.1.12-8000- 23542300x8000000000000000654283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:24.127{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47BB1296C02BE3BF54D0AA65D5F895E,SHA256=0E31BAA5B2258CAEBD7F5018832B7A42816C8B096C546D98B200FC17C802B88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:24.095{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D7B69E621966C2F36B4BF9EA1A3EEE7,SHA256=AC401AF4D1BD4121E331807F614D0126768DD59EC8D95BE00FDA0C266536F882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:24.094{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9852BBED0E23BB6271B242FAD3FECC,SHA256=D3D188CD9868EA5F2FA55344CAB340AD8F7B2F9EE596639E198DB9A0CA9619F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:23.674{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65309-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000654287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:23.673{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65309-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000654286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:23.380{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65308-false10.0.1.12-8089- 23542300x8000000000000000654285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:25.135{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2690604735FAFF725A0A01AD1BAC99,SHA256=9027382EE97BEF4BD147C112A347AC60F6BBF6C60BF23A1EB9B2584EBBDA261C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:25.210{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B047CEF3CD8733C2A7CA5D304B1A10D6,SHA256=F2A24553272FF8A5458F5F48E4FFC4644075CA5AC80B41168D04E5C7BA1AF61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:25.132{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A31F4A2E95594132A83C6F4B99BE88A,SHA256=8E91BE855CB6FEA12FD8C0DA364A59A91B1D03BA97A48BE56F5DC0658E9D42A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:26.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530CA2EA42D83FB0CA5CB4AF990B910F,SHA256=1A011015374AD030BD3E80CBD4EC2F817C31C93481DA204EC29CFD6B912A19E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6BCE-609D-A04E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6BCE-609D-A04E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6BCE-609D-A04E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.820{E1BD9FC2-6BCE-609D-A04E-00000000BB01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000555915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:23.821{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51727-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:26.148{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68684A53C73A4239C36A339A025A892,SHA256=6B428CF3AE4E911044B542313B426B6060407E00F9A1BE01DAC655B2F170BF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:27.157{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B097AB67E6CB40F0F7B06CD487613AB7,SHA256=3CA447C4AF8715259580312027EAB0778E11272132CCF482756272DD8C9D21E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6BCF-609D-A24E-00000000BB01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6BCF-609D-A24E-00000000BB01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.945{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6BCF-609D-A24E-00000000BB01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.946{E1BD9FC2-6BCF-609D-A24E-00000000BB01}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.929{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA848094D5EC5D8AD1137606146B0F9,SHA256=7B82B3F1FA199007C14108D04AD1ED67B7360965EA13BA22DC137A37E834629E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.820{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.476{E1BD9FC2-6BCF-609D-A14E-00000000BB01}37163612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6BCF-609D-A14E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6BCF-609D-A14E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.320{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6BCF-609D-A14E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.321{E1BD9FC2-6BCF-609D-A14E-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.163{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E92931093F961953D1FDC606FC8195,SHA256=589324D2D60A46790AD643037201D359A8FAEBCDA057035F15F7593837A2A659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:28.304{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CBE8DA46F8B984E0B7340FAFECCA1A,SHA256=0AB1177AE6DEA2C51705016D807A8E6BC1CAA061536BD8A5D9ABD6D5E4CAA968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:28.220{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95852944DDCEB579097E70AEB4252F0,SHA256=D36C9D4543A48787DCD3188C2DA536452631B8ECEB20E538E1C31D8DB963AA84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:27.446{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51728-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000555961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:29.304{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853FA091759C6B8FEC1E7D75416E5E23,SHA256=A8A705B97E43AFC48B5C0258624DE6ED4A4ED8F77B18ACE3619F3D059707ABF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:28.404{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65310-false10.0.1.12-8000- 23542300x8000000000000000654294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:29.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9A9F4F733B4DB1341DD78CFA6DE8DD,SHA256=94C7BED916BE2CA6A0A7B1BC66F2B2BCF6C7C8CFDB2BFA17863AA2FAF3BD8570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:29.007{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F96DF09F83573E992DF2DA8714C51477,SHA256=10E9EBAC80A38A0C28450A1133A65E80BDFE1A550268DA613723CAE8F60ECD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:29.173{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C21F650C5FDE240E4A42D00E3015392D,SHA256=29799A95699667DB3FD537E43BCEB737431F221FDDF62265E7012C89776E21F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:29.172{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D7B69E621966C2F36B4BF9EA1A3EEE7,SHA256=AC401AF4D1BD4121E331807F614D0126768DD59EC8D95BE00FDA0C266536F882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:30.320{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFDBB93351C959FC73FA7406C27F28B,SHA256=ED5A5C717B679BD0A5942955EC458980473182DE6DFBF03E972138F8606ED62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:30.242{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95D95AD11E6B556382AA5E22FB0BEB1,SHA256=FAA01A0C7049E8712D8FF99EF0D7129722F34E5FDDCFA97022A476B1664693A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:30.257{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76A4AC3BEA9DB227E89CB74E185C28B,SHA256=31682EFB355454734220943B53A645A0E2AE1DAD0A8DD803FFC0028EBC077629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:31.257{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9A73C74BCD41C0D1FDE140EF0D5DD9,SHA256=01EFFDD6309F360358EFD8773C763A5B21064743584B48E9E10072AE8183CEAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000555966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:28.852{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000555965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:31.335{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE93626D8FD29199BEFF6992D8E34AA,SHA256=D3EEE7717C7BC410C33D1B98590C3AF05E50B5B24AE87EBC632B11EEA9F6DAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:32.273{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CF979041AC4C3B0F867E79C2C4DBED,SHA256=F872DB8974DD187C036A2326981CCF27CBAF4D2CAA060558C8D59684B3F593A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:32.335{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD0AA73A2D2CC3CD8565445F4AA91A7,SHA256=62E3AFF0F55981E2E02CE2D888D03BB837E161C861D05E570D70D8CFF88674B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:33.351{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B077742A32EB8A2C8FC76BF852ED895,SHA256=893F3A3167E0739C54C52784D5A55DD0130E1F02506F2515C595D29FCAD09C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.282{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1187ECDDA54F66408E9E338EF951B660,SHA256=9D82AAC2EDFC4C232433AE9B2BAC47B53B591283912F2CBC11A0F136781B18F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.192{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324952C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000555969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:34.398{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38483B253C4A6D520B267BD7EE6F1091,SHA256=B47FC4FE6C0C720520059A92F80471E3048A9422AF467554A5440E7EFE7850E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.432{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65313-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000654307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.432{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65313-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000654306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.330{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local65312-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000654305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.330{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65312-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000654304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.323{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65311-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000654303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:33.323{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65311-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 23542300x8000000000000000654302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:34.293{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A335FBB1478E5A40FE6806DB1E6ACA,SHA256=F7B3D785EB94E1775D72478C23B21D0DF03502959FB977D5B3E11C9C0A8D60C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:34.099{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C21F650C5FDE240E4A42D00E3015392D,SHA256=29799A95699667DB3FD537E43BCEB737431F221FDDF62265E7012C89776E21F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000555986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.898{E1BD9FC2-6BD7-609D-A34E-00000000BB01}9323376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6BD7-609D-A34E-00000000BB01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6BD7-609D-A34E-00000000BB01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.773{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6BD7-609D-A34E-00000000BB01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.774{E1BD9FC2-6BD7-609D-A34E-00000000BB01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.398{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6426503E3B0BABD0DC8E0850FB0CDF,SHA256=AE43A8B64C409E93282CFFB67B98EC5167E27F3858258E33D7493A384185B0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:34.406{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65314-false10.0.1.12-8000- 23542300x8000000000000000654310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:35.302{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8837725E65BCBA72BFEF9C2BA066C1,SHA256=0825E84B6EE5821558AF94BBF33187FD42E4ACFD31518204CA0818567640836E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.382{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37266D81BE7F26014C80D59B29CDF78B,SHA256=0E8ECF49FB0440EBAF0FB5AEDAE95257A7FB03F0E45953D5E068B6A018F81407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000555970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:35.382{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50420BFE098ADB5C2AF89593A13CA594,SHA256=AF63517E7C687890D7FBA03A83CBB72024757FBEF414C93788A89F5161174706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:35.181{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1448D84F289C7DFAF7272DA938A8E551,SHA256=2DCDFFAA340A73C4372CFB1FAE26A142170FF0E5C630694CFCCA3AAD63AAC2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:36.312{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E96F607A5D1EB5B0097DFEB5E3B90D,SHA256=6D8A49FF10C088B4FD3A373FC3D0F18D68BEC0808C5FF44E6B1952E5A02E561A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.788{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37266D81BE7F26014C80D59B29CDF78B,SHA256=0E8ECF49FB0440EBAF0FB5AEDAE95257A7FB03F0E45953D5E068B6A018F81407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000556002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.570{E1BD9FC2-6BD8-609D-A44E-00000000BB01}21081128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000556001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:33.883{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51730-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000556000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6BD8-609D-A44E-00000000BB01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6BD8-609D-A44E-00000000BB01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000555989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6BD8-609D-A44E-00000000BB01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000555988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.445{E1BD9FC2-6BD8-609D-A44E-00000000BB01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000555987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:36.429{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA0A822A31D13EB4BCF07BB36559C52,SHA256=AABE7150ED9A8395CDA830F0EFAA92B8276CE0A09A190EB34C71E4A4CD5FEF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000556031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.820{E1BD9FC2-6BD9-609D-A64E-00000000BB01}29841852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6BD9-609D-A64E-00000000BB01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6BD9-609D-A64E-00000000BB01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000556019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6BD9-609D-A64E-00000000BB01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000556018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.695{E1BD9FC2-6BD9-609D-A64E-00000000BB01}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000556017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.538{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F68F9E6F1C31C85270CE263130DE3DB,SHA256=8112EB56E7FDD513E014DA241D651024F09D86B35370AB1FEF2F68F83B92B238,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000654314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:11:37.436{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74823-0x6a402e74) 23542300x8000000000000000654313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:37.325{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CC3EC669A6BFD69AC4A36644BC0F0F,SHA256=62CBFEB180BCECED3FEF68F2347F6BB2355B6FA7DFDB2ED178AA6EF30B7FFA3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000556016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6BD9-609D-A54E-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6BD9-609D-A54E-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000556006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.116{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6BD9-609D-A54E-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000556004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:37.117{E1BD9FC2-6BD9-609D-A54E-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000556033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:38.585{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C76E690C32ED2EAF7F6D4278977E033,SHA256=057D35173D0AA618C89C80891CBA5FABB27228792E6E76777C7D0B99AD64E440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:38.383{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE130FF7ECE68A14A2E56E2595D15B1,SHA256=D035D9D581C5EA25FE91D7667214D772E3D1A66371985EB980526A336D74002F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:38.338{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DF831BAACFECC48ADB27C294553D42,SHA256=2FF5CC0A1E89B9990D7CA6F6B10F76C36C1814F1E5B4E2DCC5096237F947109C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:38.132{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDF40AFFA2D1B6CEA00A523C84A30CB0,SHA256=E1488026DFD419E635D7D3075B02FC1CCEF564463DC6E097C1840E7F0447D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:39.601{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E96A6F31F33607A9F2635FDD54F83F,SHA256=7EDAD0C6E8841870346476DD233A6C71EEF10CE11036FCC5144060AFBC9939A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:37.612{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-18.attackrange.local123ntpfalse13.86.101.172-123ntp 23542300x8000000000000000654317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:39.403{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A0F4B6A4B76C16AC1F66DDBEAD717B,SHA256=687C60CA3A024374EB3564B0D312FC3254E3C943FC05E45DDB8951AD648620AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:40.601{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E6A911F4B7208FC03A3BA86F26F8A2,SHA256=2117F94D1674A66EB1461565BEFFF2D49FD86FE193F16C180537D19AF921EF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:40.409{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68933A07C5F1865B32376CAECE05C24D,SHA256=92EC4BC9078AA7FC154D9D771006880DD87A0B96BC32DABCF4C87FCAD36343D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:41.616{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2627387E7F470513265B241C2B2EED42,SHA256=65E1F308CDB815592E127D250B948D806E788A87FD2C973EF923B02160AD7DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:40.332{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65315-false10.0.1.12-8000- 23542300x8000000000000000654321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:41.430{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BB080BB9D1D0BA637813C7AC3ADCEC,SHA256=B0D3CCD28BEAA5FE59B82A13A87BD97106B683E30B1396557E1024B90F181C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:41.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C31F38E4B2C73E02C66592F07106D2F,SHA256=245FC3EBDCEFB7D4C2A70474A27174422B6CF51E3D98A85CA968184500A4C8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:41.097{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315F10423D27E502EEB4F0DF6AA5024D,SHA256=E76EA35F3BD49040D2574F0E7B12F408E706B65D8F095E35B0BF87D3933AD875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:42.632{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42199B8E97AB74670095666121D7CF34,SHA256=9CC775A85DEB5EA701CD46B5DEF9100F3E17BF1FF6A9952899B61D9572D0A6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:42.445{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD217D9E03EE53DDF32F8C6070265A4,SHA256=6BB937E7DA849E1795F530ABB075296111C7CACBFC58DB39FBBCA820F76EB123,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:39.743{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51731-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000556040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:43.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2166C9986C41B7B794B90AFE69D77F3B,SHA256=2577C4AF00B343EBA7DA23FAF76D6CFBB5C64D4E3A09A15348C895E0AB9517A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:43.449{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F09AC31E207C616FE22E5FDC1C78820,SHA256=AF8EC9A24B9D58894497A0AB13F8B4235A188063E1D83A05251202ACC3A5C2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:44.686{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3CD2EA753F5E950B01EB7E95E08ACE,SHA256=8C793A2C1A0D8286D7657BD2298D7F4E7B1C5D791B2008ABDDEEA85F7FA9FE87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:44.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A06EA597B418C284E371A6DDB180760,SHA256=7908EAC553CA4817DB7611953D6459B5DB0233E01FF83606D5098414884F5017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:44.172{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DADE285049F706E954709A79E6A5EC44,SHA256=4AADAB9F87D742688275DEE2D30CAEC8F8AC34A3577FCDB363197848E6173730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:45.702{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5929FB59543F435DC36A988DCC353086,SHA256=721A7EEB30BEDE8DCA861E8AC74F912DDBE44BD70675B4BE4AFE7E1B075AA969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:45.465{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A2BFE3D0C899D839BF39E832FD3AA4,SHA256=90670E22D0BE981AEEF65495B1A84CF24FA22152B9BF4CAFF995DCAD2BB4BC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:46.702{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977050471C1F02B50F31B4062675A96F,SHA256=37A06E1F00341E5661F347ED78330ED77154282D6D6439876B0EDCF6EF770D63,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000654350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.764{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000654349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.758{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.758{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.689{7B03F3B2-3953-609D-A64C-00000000BA01}19044796C:\Windows\system32\conhost.exe{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.676{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.676{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.676{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.676{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.675{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.675{7B03F3B2-3954-609D-A74C-00000000BA01}19923584C:\Windows\system32\cmd.exe{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.674{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe1.55.1Rsync for cloud storageRclonehttps://rclone.orgrclone.exeC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe copy c:\temp mega:backup -q --ignore-existing --auto-confirm --multi-thread-streams --transfers 12C:\Users\Administrator\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=22BBE1747933531E9C240E0DB86268E2,SHA256=53AE3567A34097F29011D752F1D3AFAB8F92BEB36A8D6A5DF5C1D4B12EDC1703,IMPHASH=2F1ADC02EEC2C8681D1612C9A43CED84{7B03F3B2-3954-609D-A74C-00000000BA01}1992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*" 10341000x8000000000000000654339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.674{7B03F3B2-D0CA-609A-1300-00000000BA01}922724C:\Windows\System32\svchost.exe{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000654338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:45.465{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65316-false10.0.1.12-8000- 23542300x8000000000000000654337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA87E34CF760F0A1C80310D5060A188,SHA256=BFE7927E862DFF395BFAF20D725FC73342644C6A5E43EBDFB84A5A70F05F8D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.343{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BE2-609D-9253-00000000BA01}7268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.341{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.341{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.341{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.340{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.340{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6BE2-609D-9253-00000000BA01}7268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.340{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BE2-609D-9253-00000000BA01}7268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.339{7B03F3B2-6BE2-609D-9253-00000000BA01}7268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.233{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04EDE7EFBF3EF257EBF9CF5F6105E0B4,SHA256=4621FAD39426BD888B9B0BAAA2E672BE02C496981A40B72E18FD97E058DFF80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:47.858{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4A56020B6B7FA765F2C5C5B8E79729,SHA256=BFAAAE1A899F574008A817DA26A2708EA044E92FA4DAE24A54AFC60FE270C9D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.520{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BE3-609D-9553-00000000BA01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.517{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6BE3-609D-9553-00000000BA01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.516{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BE3-609D-9553-00000000BA01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.516{7B03F3B2-6BE3-609D-9553-00000000BA01}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.498{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932DD6B85E3AE8BB553BD0A699B077A7,SHA256=1C5FE48EA1267E0DFDE5A75DFD7BB85B6800BB558D8F3ADB285C3967F8747DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:47.061{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E3E3CA410020CF4D69BC04F990CAB8E,SHA256=0316D99DC2CFAE5FC32140159556F1AD734C859243E604F537C1AC20FE284E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:47.061{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A80B42580172D1B8C0AC8E3CEF4264,SHA256=7114E120E0997D22A0E37B37E59938789DEA4367BE512BB06E8C56D881D507B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.353{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F95A1E47F5E138ADAC5CC749B8D671FE,SHA256=3E7269F20854465EF4329C8E5866FFD0B23FA31E6F548BB777D054D9091716C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.192{7B03F3B2-6BE3-609D-9453-00000000BA01}21526156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.020{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BE3-609D-9453-00000000BA01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.018{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.018{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.017{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.017{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.017{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6BE3-609D-9453-00000000BA01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.017{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BE3-609D-9453-00000000BA01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.017{7B03F3B2-6BE3-609D-9453-00000000BA01}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000556049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:48.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6280FC585806C833191FA729CCE0E432,SHA256=C8C97432CBEED59709AE5D7EBD360F7404A93E2970F7748CDB5A2DEFA14BBB18,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000654385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.993{7B03F3B2-6BE2-609D-9353-00000000BA01}8008win-dc-18.attackrange.local0fe80::b173:2d3f:cb87:36ed;::ffff:10.0.1.14;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe 10341000x8000000000000000654384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.640{7B03F3B2-6BE4-609D-9653-00000000BA01}32567220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000654383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.001{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65318-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:47.001{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65318-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.993{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65317-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000654380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:46.993{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65317-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000654379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.540{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94E981CB3A741F60C0369099928DF071,SHA256=913FFB99EFB725C1C891045223D27DA8D34045F424613F0324946806E446B851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.509{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0128CA1168E6E32A30A8DFF1816F6EA5,SHA256=CECAC078C128782E6FACD916AA219143E5EC005FE844656FD08634103ECDCD2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:45.703{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000556047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:48.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E3E3CA410020CF4D69BC04F990CAB8E,SHA256=0316D99DC2CFAE5FC32140159556F1AD734C859243E604F537C1AC20FE284E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.478{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BE4-609D-9653-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.476{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.476{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6BE4-609D-9653-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.475{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BE4-609D-9653-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:48.475{7B03F3B2-6BE4-609D-9653-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.651{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0272328934E2D3C56AA5A789007D074,SHA256=D3C66DA2895E8B06E8588FE54547FA7C6D24CB4F3552984E7E641FFCD49097F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.520{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325E3CDC7FBDBE902480F754FF81569D,SHA256=0773A94ECA3D490B9DE197875396B2653AD8F71133288979D9A5C41094D34BB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.320{7B03F3B2-6BE5-609D-9753-00000000BA01}77726264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.220{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.220{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.220{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.220{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.147{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BE5-609D-9753-00000000BA01}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.147{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6BE5-609D-9753-00000000BA01}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.147{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BE5-609D-9753-00000000BA01}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.148{7B03F3B2-6BE5-609D-9753-00000000BA01}7772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000654386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:49.130{7B03F3B2-6BE2-609D-9353-00000000BA01}8008C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\svchost.exe 23542300x8000000000000000654398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:50.529{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE08B6C91F13FB53FA7CB067E73D654,SHA256=4D3A68AF63D56FCE3FE85D367174841DF2F73EE532EBF552D4D0935847C06661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:50.030{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61004F933AEE42482563324602E73E97,SHA256=69868AF276B1E02928A310BB40BC881F7093EE739D107BA5BC3F62F61AE114DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.947{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BE7-609D-9953-00000000BA01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.944{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6BE7-609D-9953-00000000BA01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.943{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BE7-609D-9953-00000000BA01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.943{7B03F3B2-6BE7-609D-9953-00000000BA01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.538{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E5A8FA8456A20A53BF6812B2A82E77,SHA256=6B23A805A3D7C15E95DEB9B6888637BE16E89CF2B3A21FBBF1848E6CC62050D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:51.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F727FC1769CB7AE04B4A6E2F9BB9A53A,SHA256=A2D4BBF1AC6ABA5DFC7258ED1646F726F56516EC9534D19FE5937D40BDE09B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.307{7B03F3B2-6BE7-609D-9853-00000000BA01}48167688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.135{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6BE7-609D-9853-00000000BA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.133{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.133{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.132{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.132{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.132{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6BE7-609D-9853-00000000BA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.132{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6BE7-609D-9853-00000000BA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.132{7B03F3B2-6BE7-609D-9853-00000000BA01}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000654419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:52.979{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=73CE0A579A2C527CF59E80220528F0A8,SHA256=2FEDDAD060CCE41B39895B35E12FD86938CFD819AAB27B75FEA6ACDA581A5F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:52.556{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8173BB9E2EADEF94EEDFE36A8F0658CC,SHA256=E5F1D1E43D63296DBB480A7EAB22201780D858950DAD48967FFB6F59121BE0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:52.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D0CA02BAD115E0B049AE8180A765BB,SHA256=DCEFCEAC5D022F517EF28121F3CFA1DA72191D9166892771AA93F48AE0306864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:52.123{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69A0D31D3B487C3164F50BCAD821113,SHA256=E78CFA8E8A216A7FE032D8BBBA2E74DC9DE0DC23F604785ECAE34FDDA25F3EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:52.156{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=246F346B5927FC37057F30026A0A0E56,SHA256=895588F0F9F7F14739F13CB941363B24770FB338501B08E6102A0FDEB039EDD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:51.481{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65319-false10.0.1.12-8000- 23542300x8000000000000000654420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:53.571{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DAE0D59B6997F49202A015B330FA6B,SHA256=52B6293C5EB590DE595F7B16DFC9FA2B59BCAB5CC34834E4FBAC7BC54928A57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:53.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C1E5273B7867F6F85B53F85698D75F,SHA256=8EC4D3A810EA4A53EBE9AD52D8E330199896333317816ECD14D62BA45B380433,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:50.765{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51733-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000654422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:54.580{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D10B54A3012EB471A5FF6CFFE91376,SHA256=DC1658DFE96CE4AE76962FB1D9EE357CE9144107EFD2E6EB859BDE54358E8A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:54.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE8ABBBCC0B96BC87C662C640C7FCBE,SHA256=AD48ECE684F4EFDA6298B9B64E5DA7F3241341B8A7E49CE58D7CF4332AAF74FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.980{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.979{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.979{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.979{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.979{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.979{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.979{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.979{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.978{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.978{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:55.595{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ABE307F2547843BBA1022F1B9EC3CA,SHA256=F9EE349A8BD4B6D1992B953FFE4618812760A2A62ECF11176763F089AFBCCABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:55.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC1F8681F6B9206F28683D5CDFE0707,SHA256=3EF777C62579D1995E22E9FD4A7F87B02928540683CBDA1283D901C7924F8756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:56.656{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F154563BABFB7B583A77D09A59E4EC3,SHA256=E62A6EFA24179EA53E3B1946209EE07B73817284449454CBB8E732356F3DC5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:56.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F7395D45F1472ABFC5C697F5047651,SHA256=26570611DFD5E864487F96CF7D152240FEE2143C9CBBAD6486B97CAF43727FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:57.663{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF4EA6FD7C3389171B9A83B0BD44191,SHA256=7C94A9D478022DD2138C079E164843B9D1555A2A66937D4B3E382A7ECC58C239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:57.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E6E564BA868995AD7D36C5D64A9FD8E,SHA256=B2025B6C602ADB3E3FE4D50044788B5059D9E129059B3DF5872D9B2E36318828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:57.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FE19B991CE4EB1F6069002BAFC82E5,SHA256=4D29EB5C403E71FFAD2FE8F6751B887EC63B4EC672A30F943B6E95453BF61AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:57.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F184FEF1356901F24C2CA4A0E3AF6EF,SHA256=A80C25594DDF5E3A9EE9AE5515467DED3EEA261961AB47632D81A55705209A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.670{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1C9551C99F9691B536BA7439693E7A,SHA256=22F85BF5ED2560BF306BAD2E50C84B6318F659D74C3EC7CE32B36C528A9D03DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:55.859{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51734-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000556062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:58.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF854EAAF9C2A7B6796DC1A66FA0BEF8,SHA256=259B854D4D65B9CB0A58F06FA7FEF21AEDA01BEFEC327D102C32B10D28FE46B8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000654468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.299{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000654467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.296{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324648C:\Windows\system32\lsass.exe{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.296{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324648C:\Windows\system32\lsass.exe{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.270{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B475B66431E21F3712B2A8FA2BB03CF,SHA256=C998275E832537F332E810CF8CD78F316729088C84A170DC6FF96CABC3C979DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.269{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71FF6E2FD67E91FFF788F60FF691DF84,SHA256=12723FAE430EB60731C2ABFB9AF50647A41853DA78C38F53AA481BF9213DA6EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.235{7B03F3B2-3953-609D-A64C-00000000BA01}19044796C:\Windows\system32\conhost.exe{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.233{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.233{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.233{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.232{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000654458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.232{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000654457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.232{7B03F3B2-3954-609D-A74C-00000000BA01}19923584C:\Windows\system32\cmd.exe{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000654456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.231{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe1.55.1Rsync for cloud storageRclonehttps://rclone.orgrclone.exeC:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe --progress copy c:\temp mega:backupC:\Users\Administrator\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=22BBE1747933531E9C240E0DB86268E2,SHA256=53AE3567A34097F29011D752F1D3AFAB8F92BEB36A8D6A5DF5C1D4B12EDC1703,IMPHASH=2F1ADC02EEC2C8681D1612C9A43CED84{7B03F3B2-3954-609D-A74C-00000000BA01}1992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*" 10341000x8000000000000000654455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.231{7B03F3B2-D0CA-609A-1300-00000000BA01}922724C:\Windows\System32\svchost.exe{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:59.693{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7659F67400B6D5D0CE28EE919E8B9B53,SHA256=7B784B91FA4CB2235D83593DF95CE6733725FFEC09FC9A572AA201D31FBA5F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:11:59.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB58155C5584631DD31B870004AA050B,SHA256=37703D0BC6B82223162E03D1BADADA2D32B0E5C230695339B2F3C89D91D5A099,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.539{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65322-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.539{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65322-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000654473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.536{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65321-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000654472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.536{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65321-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000654471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:57.483{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65320-false10.0.1.12-8000- 23542300x8000000000000000654470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:59.306{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B475B66431E21F3712B2A8FA2BB03CF,SHA256=C998275E832537F332E810CF8CD78F316729088C84A170DC6FF96CABC3C979DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000654483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:00.740{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000654482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:00.739{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000654481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:00.739{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa2e268f.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:00.714{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E313F8D30C1D120239DF8E8D977944,SHA256=1DC4BEFBAE9CFADE8D2950A024BA076790DD1BD9B03541EB2FD38B06ABEF6E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:00.327{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDD8FB4DE8D01D024BDF2DA20BD3C00,SHA256=7C8CF188E1934507DE7A91148136E56627F2F89E95E610EB39536376DB2D3575,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.734{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65323-false66.203.125.11bt1.api.mega.co.nz443https 22542200x8000000000000000654478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.577{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252g.api.mega.co.nz0type: 5 lu.api.mega.co.nz;::ffff:66.203.125.11;::ffff:66.203.125.13;::ffff:66.203.125.14;::ffff:66.203.125.15;::ffff:66.203.125.12;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe 22542200x8000000000000000654477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:11:58.537{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252win-dc-18.attackrange.local0fe80::b173:2d3f:cb87:36ed;::ffff:10.0.1.14;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe 23542300x8000000000000000556066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:01.327{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8E60762A1087C355C2E46BF0B1CDAB,SHA256=4F0842239B6DBE69791E5F7E740501BBBDE5AF20B912E71BDA3A2E83397D11BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:01.726{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459B837AF7DEB375148AEF29BC228AA3,SHA256=4FF700CEED3C28FCC5852282B979C06AE4F3B7805A9F13BE3A5FEBE9C12378B0,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000654484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:01.507{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe 23542300x8000000000000000654487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:02.750{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25438099420B6919242684AEACB2DBE,SHA256=2567EC395CBB034FFA0067BA42F85F445E774AD64416F61DAC1C8011C65881A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:02.436{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A965557B16FA26373BBB48316ED0033,SHA256=5812598BA8D1DD272D82F555266DEF1A4A1BFC6F273EB1243338C7048DE766A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:02.544{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BEC998914E5B7C3B433108DA8324BF7,SHA256=C90666D6A0DC443FFFE7080983D2B0FD3A9E585B690902276A567F069C87FD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:03.753{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E895A8CEA7F0ED01FF103B8355EE6682,SHA256=E15D57DA35AF3765B93F797E81CD02F8AAADBC771505415664C3C87BE85A9CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:01.797{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51735-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000556070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:03.456{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F85ED18BAAFC2A5463D2634147671F,SHA256=0BC899D26A0C43355958D8753F1B28F52E93A5A677178FF0E4C3A61E75B9AEA6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000654488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:01.740{7B03F3B2-6BEE-609D-9A53-00000000BA01}5252w.api.mega.co.nz0::ffff:66.203.125.32;C:\Users\Administrator\Downloads\rclone-v1.55.1-windows-amd64\rclone-v1.55.1-windows-amd64\rclone.exe 23542300x8000000000000000556069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:03.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58308479EBB5514B30B1A8CE77790D5,SHA256=85125C32BDC8970CB7E053E54FC10A6606AA3ADF71703FAB38E0E5F50ABA0406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:03.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E6E564BA868995AD7D36C5D64A9FD8E,SHA256=B2025B6C602ADB3E3FE4D50044788B5059D9E129059B3DF5872D9B2E36318828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:04.762{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5036C9F43192AD64910766C983E02AF0,SHA256=9B252071FC83F9083D05FE1E4473EA6EF8064BA8088D4683490478C23254C18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:04.472{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF742AA8D2EC0EC880C10DEDD85A24F1,SHA256=19159DF69847B3C6A7E695B873F4572E0D03F07FBAFA9C9516F1BFAEE83F4EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:04.090{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C7E50235E61A1741909747356AFF473,SHA256=2DFC4365E20E8AFD7BF6D446FEA802B265A5834F9FBEFD252547D0220538094F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:05.487{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5B4414B5681847FC6D73221648D41A,SHA256=ED4B645662A986E5B466D9B8CDE6643BB87BDF7B6CE53CECF0470F8EB593FAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:05.769{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D46D336BD141EBCA1AE5B289D9BE8F,SHA256=324429384EE0DAEDD90BD1EE430ECFF8E40A1A512ED2A34B627067E09A6A5926,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:03.327{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65325-false10.0.1.12-8000- 23542300x8000000000000000654494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:06.783{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465E9D800FA93A5CBB5D4A542CB5773F,SHA256=370E5CAADCE5237925490633B636BB14AD6A489CDD694FD82CBE6F9231EEB1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:06.518{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248057AD9B733EA248A04F5F9D7F10F7,SHA256=D557FE2137CD7ABED9622F95AA3B3FFB88340C0F33E0ABA0189E936B0184D85C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.814{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6962327C9A3B9E0EE03AE0D9BD4B09A9,SHA256=567488212CD05554B01F1A7254ADCCAFCD27C86210F7618F211EC0AB0DCA6C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:07.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D109FBEB344F6590187F5251A3D6EC5,SHA256=984D18882CA73C1FEB18CF74ADA584D9529D0C2EA2A65636596204D5ACE8C9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.794{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=345EE7764270E5335967C51893C33CF4,SHA256=0EDCD25BE0718E46F8A12079B0F3290A95D863EA35AF6E584EBB642F4C56FC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.793{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F4D6214BD8C7C9FC6B24D4E010E0E007,SHA256=08FEC62160ADA1BF14F49716392C8938446B056FB587C7C685C7A71D2D01F683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.792{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AE9C9ABCC942A8C427C29029789B6C17,SHA256=DBC745B60CF69135EAF1D5C56B1EB4DF9F0977903DD81CB367C76B787C6FC3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.791{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=05E27C9B5AB6290DE5C28409A7A23587,SHA256=F9D7D947B0099BEDDD3C1F03B89CF98ADA904EAD06D82F9541CED7ACEB926BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.790{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5ABDDACABAA657735920ACC74D296A7A,SHA256=EF68F8056387C086EA4BFDFA220E98DD769C0C21AB3660E8FF0518D9B6C9AAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.788{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=8B244F8441D3B0C782CFCE903350E2B2,SHA256=2DE02EEB7614F0EF04541775950F69F20B4BC11A73B4E1B49E2D52797BF3A407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.787{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=44B2A26B5A6E5B972B73A287ADD99667,SHA256=D3E9DE08AF0C5565170962D420EA3A851BA289814E34B56378B1B58D0A00D307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:07.786{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=98476A94DAA35769DF5C467F472C7066,SHA256=09D2F5421AECB49527715CD394573D8DD0D5E06DCBE6FFAB6741FF000BDDA98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:08.825{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6323DA051207AEF63A7DBB4ED550769E,SHA256=60949883E582BC30571735781E9EA8DAC31E0AF14131BD85C93BC66B284B6DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:08.841{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B8F87311DE3240483E3BF2970EDDDC5D,SHA256=CFFAB81CDBDC8E981B56337ECE16A6E6BC8BFEF60C7196C249430393B1E46DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:08.575{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973A203847D7AC5C54FF0DE55591912F,SHA256=0B178F7170C23DA533F436AE920AB4E56CE9D31273083D944A6DD20F27D110BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:09.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52B0CFCE79F8821BA90D985BBE1623E,SHA256=FFF5CD681140BBABEE47CF327FE56670E025589CAFF6F3859206DCD5D88A38FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:09.591{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75B663211A26E30E01FF399699DCA13,SHA256=A63ACCF2DDDA573936144F6A5384A0DF86526C61A6C99B60AB2D3D6B6E84CF31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:09.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0CEC06DF56DA2AEB4F19DC959331BB4,SHA256=8F3FE5DB375F290D3375CE70527E2F14BDB4C042DEC395F770E25B093FB696C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:09.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ED7B69280957939DD99AFD292C3E9A3,SHA256=DB9A314D94EB8E0F4A3108D98FE5E94F2B6AAF6811FAB4ACC351ED3CA7393438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:09.091{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=835B99A9F86F0F669D4E02ECE6F6ACF1,SHA256=F004D9EDDC0502CE084992D6A25324C9A57FACF7E0D6F52355F3C62607B677E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:09.091{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58308479EBB5514B30B1A8CE77790D5,SHA256=85125C32BDC8970CB7E053E54FC10A6606AA3ADF71703FAB38E0E5F50ABA0406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:10.843{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9BBF3B4D1FE7812376F7D7AC8C0F2B,SHA256=04C2BD6056A18D8C90DCD306E320CCFEA0B795BF4055B903BC3C329197ADDD30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:07.717{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51736-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000556081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:10.592{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD19CF8C93DF9709E4386AFC79DC6E2,SHA256=11E2F11D4908970A31711016113E7BED6508940F4009C4C47C9CB275636458D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:08.492{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65326-false10.0.1.12-8000- 23542300x8000000000000000654510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:11.852{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E9F4C921BCE5D649DF8C7E9007E7A6,SHA256=6CB2FD7E5944DAE74E4AA5B6E65AA1C2C7D525C70798833A5379B851601E5650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:11.607{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA6B70634FAEBA8882C76502F256151,SHA256=9129CA4FE32EC262C3AC2625C99A28A8E803DBC1ADA431379F74BECD4BDC7D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:12.864{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCD75736802E796530FBEC29E9209AF,SHA256=014614279325219CA9F77A0FCE6A88FFE291A1D602B1DBA982BCC0C4680740E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:12.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A46DF10C8FC47EB2D2E185CF477EAF,SHA256=C321ADDFB252EEC43035462E8FE766CC7ABB8D5ADD3A794C136BC82698D544F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:13.912{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDA48A50B7736830B3E3ED89D82401E,SHA256=313D1D29A34248F86DBC99AA33E93DFD11C289A389B550C6AACF93B25F20F9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:13.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B008A1BDDDECD679F0E0A982E25E8E5,SHA256=7B3C998CEB52100D0DF8830C4F9BAED7AAB8B39794072FDE6C28A2FAD64DF329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:14.917{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6799E8CB991416E3FB78AB03B7BD80F,SHA256=F99D5B4DBC2873641184878D6AEC04103A66CDEF61CD5C1D40B7FB29E018892A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:12.827{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51737-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000556088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:14.685{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F71EC47DF9B602FCA1B01F7329571F2,SHA256=5AB95B4CC059767F8B2DEF854170114D2478C8FA7D340F3150AF719ED4386683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:14.201{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C77F2513FEA4CC285B5EAE30CAA64975,SHA256=F89BC5F802DB35EFE87E7F51A3EFE03B7D2E2BFCA4EE447A881C755BCC3127BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:14.201{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=835B99A9F86F0F669D4E02ECE6F6ACF1,SHA256=F004D9EDDC0502CE084992D6A25324C9A57FACF7E0D6F52355F3C62607B677E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:14.281{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65327-false10.0.1.12-8000- 23542300x8000000000000000654516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:15.934{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A57633AEB92F09B6BE43FD3AC1045FD,SHA256=1B39D158B44732A216002CD1C816C2BED4B907A5FDCBB56BBED21F9258C52555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:15.701{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C850C06C7701A2CA23F1995EB1EB592,SHA256=5FF10927252520334A02591F77138D9F629E8BD3C55DBEDD265E1223D622CD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:15.056{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F21D5930A8F7EF6C3EDC32C7D62F6E,SHA256=ACCF5640E13CCB8933BE659A9A35048E28154440E68499BD422C6B0F754B43AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:15.055{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0CEC06DF56DA2AEB4F19DC959331BB4,SHA256=8F3FE5DB375F290D3375CE70527E2F14BDB4C042DEC395F770E25B093FB696C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:16.977{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94456A6971991136B6CB7000BFC42D17,SHA256=44CF7843F3016B59E1791EF1A81AE18051E88598E7FF8EEDACBA78E069A6B0EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:16.732{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287A301A5F61B6348DF1DBEC28871753,SHA256=C6E7CFF73B8AA51AA2FFAEED5A1FCE1FEB8D9CA4CF7B26DEAB10F1EB439C5309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:17.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EC0E3EAE38579E7EDA6F070FA1C136,SHA256=07BBAA09A97065F07F9C979E1BF40AC3E8D780906C35BD094E053331325AAB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.994{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB019A97914BA7F90A7DC7D46882F81,SHA256=F020995CF279321EC3ECB4EA9264ABC87403F193D2EF32A71E8ECE83A22EB57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.830{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C20B770699CC8C83F31BC934472E8E23,SHA256=5434439D657449F0CC39182EA32CC3ADBE40D7F649CEBDC776D795B86EC97FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.829{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1D5BB6C3A0633531896CF850590BC287,SHA256=425F2F2F3BD6926FFC4AE24DEE3475AE7D265F784D8AA3BD6FA836524C231132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.828{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F2D7FF6AB3BCC0815D381BBAACAA0B17,SHA256=C1765FD394061330C623628702097F5DBB69D972FA525D1CF9412996BCFE72FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.827{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C8C82CF79F7B52D3333F61F5A6C59F5F,SHA256=52E5A7573370592B2775BD0E0ECD55263D66E99437CCFE6C3DAE332AF1D6DA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.826{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=EA6AB725A3F88EE207EA096D4DB41232,SHA256=2C0F081476FA9542951F075FE682414A4F18C1939CCE36900F9F8BC33C1865FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.824{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=377246546333A2ADB04C9385AE69BB84,SHA256=629E1589C593C28C6D91146A41E54314165C8161595A40C45CF5D848E7C3D481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.823{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0C6D3715A9C98F6EDFC144872F8CAA5E,SHA256=3442E66ED293346F84C35357988023FCB9354A5EA3782B60659A85D1CEB34DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:17.822{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=17BEEAAA29F4BF8FE47126FBB5B111BE,SHA256=0538C668E1D2E276F0E98987251C02604A85E100E8911361C1533C47D2C9CD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:18.997{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119008BC01643BB267BE07F8A8ADC789,SHA256=14932D03017F9FEC1D97B63D0D35A7D4F2C6F9D26B1602FFD1DF893D6E6EB7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:18.826{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5430CC32163502E47A1E93C6ED30116E,SHA256=2738746A306A2AB79C1008A3BA489AAFF487E06C5613F2319F690E7C521C7A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:19.841{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FBA79971D4702B3BBD3BB776AA3CAC,SHA256=B359D9EC59B94B4577F7AE144FB4422739E674A345E699A51C26B3B8C8CE2A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:19.203{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F21D5930A8F7EF6C3EDC32C7D62F6E,SHA256=ACCF5640E13CCB8933BE659A9A35048E28154440E68499BD422C6B0F754B43AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000556098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:18.780{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000556097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:20.842{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9DB30CAB2F467965ECCDFCE98E6552,SHA256=F439E018619FC2F57F9453FEDEB922EAF21F48DBC6F7950EF95550CB13667250,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000654531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:19.356{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65328-false10.0.1.12-8000- 23542300x8000000000000000654530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:20.004{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB4C3F8D87B399967EA48E9F12639F,SHA256=1FD1773B4D14DF1E07720DE8A5361498F2B2345C4C8ED41089F1027C5E2C9C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:20.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44A60A3ED0BAD191FBA4C64F23240A6A,SHA256=E59E7057CEF85FC167E9C041A7B13AB1CE40E7CA1F534C1036BDA74DF12FD761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:20.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C77F2513FEA4CC285B5EAE30CAA64975,SHA256=F89BC5F802DB35EFE87E7F51A3EFE03B7D2E2BFCA4EE447A881C755BCC3127BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000556099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:12:21.857{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47016516DC901971CEABCCEDF8FCF74F,SHA256=BBD1AA641F2C63E903B1F6160918BDAD78310DFBCA70880F528326335CBB0C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:21.011{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7477F95DFD9C0B9111B808A2947E255C,SHA256=F43361DE398D68746AAE8E7158754F66CBEB7493C20FA93BA9674F90DE9A56C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000654533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:12:22.018{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD848251840742A010798CF40AD2CA8,SHA256=4ECB0BE1A1C46A6295AAC2B34FC58B03BF07EBDDE5656D8DC462314A131AC1FC,IMPHASH=00000000000000000000000000000000falsetrue