23542300x8000000000000000651549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.690{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01C63093DF093FC284FFF8DB4D95F447,SHA256=7082677CBF837AF25C4341BC46052F6054FDA742AFF034841FE1B7626FD59867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.664{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1F9663FE36E696BED3BF3683A659CA,SHA256=0AE5F58FFD851453C74C085B4D2449C727C5DE66BCF0C492ED2A80CE58C980F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:23.035{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8420E42CC0DCC648618321E9740AD75,SHA256=FB7ABB8028BDEF551228805A168726542B54EB13EE4B497598625B0E748ACBA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:21.322{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65086-false10.0.1.12-8000- 23542300x8000000000000000651551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:24.671{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B28439DBF6ACB6B02F3DF0882D75C2,SHA256=6360CC94BBB70D43DD21C3121F306AAE6114A7932FC9224C978000DA33C8BAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:24.379{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A715B957691199EFC58894331943AAC,SHA256=ECEC75093E70D3464C85CAF21C6E3257A84BA2E2114B675FA70E4F33C01D28CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:24.379{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0961F8A9FBA72D3D7F0CA2E0C1C316,SHA256=1A2C1AE4CA07E7677A0B0C9F28AAAFEACBEF67954B20FB16B6270C63E5A3B7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:24.051{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EA8964F817E856E78594402450A409,SHA256=F986F2062154C2103B37159E39D920E11D7A48B1707E69805DC3317D8E7CA67F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.056{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65087-false10.0.1.12-8089- 23542300x8000000000000000651554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:25.676{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C57F8632D0CB1D7041F24B1E52D17A,SHA256=C64C999CCDBFFA1C7DFF1CF324FBC1162C04EF926872E7B5897BFC4C2056AD38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:25.051{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C9CCD110E6A86341CDCB90626D3A83,SHA256=BFB7CC3C2DAB87A5FE90FEA3A521B4F8A922BAFE6B98E6AF29DD730773F6FCC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.523{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:23.522{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000651555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:26.699{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F6061A7F9FC2F39E69FEA97E8CDD0F,SHA256=63B7B99F14E0485619F6E1D6AD0B0FA8F66C3DC37E89CCA976049BD6681912C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.957{E1BD9FC2-6886-609D-3B4E-00000000BB01}323516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.832{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.833{E1BD9FC2-6886-609D-3B4E-00000000BB01}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:22.788{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51559-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:26.067{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C677A89B68A403910DE8E413D70AD86,SHA256=A33BA8BA5653423C74FFAB793D9EBE1FFCFA1E77EC38B740636969A44FD0C315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:27.744{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82562775C2DFAD35FAD1375249FA88F3,SHA256=19E9C3F068FD91861CD14EEC0AA57FF084DB936E40E616ABA5A49DC06CE51402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.957{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.958{E1BD9FC2-6887-609D-3D4E-00000000BB01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A715B957691199EFC58894331943AAC,SHA256=ECEC75093E70D3464C85CAF21C6E3257A84BA2E2114B675FA70E4F33C01D28CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.551{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=3182DB13C820F175ECBA57D6E9E045F2,SHA256=417F4E366ABF6C25D0C6270CC120C9284726318448E9E95A4F6BF2598AA2FED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.551{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EAEBA4013650A45DB6B5B18597D0C128,SHA256=14D91E61021BFAD21DEEEB050B7599AA1798DAEABAAE5CEC2F2B6EFD49668342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.551{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=0280BEBD018A95B9061F089A5ACC6C81,SHA256=4D1C9637C64815CF527F1AAF0823B0E21F6924C230A02C46139AB882E544946A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.489{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.332{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.334{E1BD9FC2-6887-609D-3C4E-00000000BB01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.067{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FE5E3E003035C8B5A710FE72A7E768,SHA256=7C2F36EC355145EAE9E15604911D79869D3084EDC6908481C3EC0E343A968A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:27.117{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD64B3BF53B2767425737B4FBCECEC9B,SHA256=F3DE390C972A70186798290A14969488F9C606DC26570CE8BBF3030AA5894B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:28.749{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3870C7CE2AB58FED1F46A522847F3CD2,SHA256=F9C795EC9981EB27243565E98351E3453F113FDEC014A52C5A468925F971F988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:28.145{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69445A7D8EC37C408709282704AF422,SHA256=30A38F5AEB8872E472DCD29A49D9615EC2D3C0BE5E5E09C17FD0BA2A477148F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:26.349{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65089-false10.0.1.12-8000- 23542300x8000000000000000651560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:29.751{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA24D578BDCE29CC76D197326F08C79,SHA256=9C5C905E5B602A960FC3DC3280AD6BBFA32538FCF34479245ED0E0992399DB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:29.348{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1571BB25193CC2CF0126D873CB192EEA,SHA256=3173924EE705FCE2265AA90815778A726E6342569E0FC99584B2930394937E6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.116{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51560-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:29.082{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE8C6FB3738FA4504CB34C0FA4B04435,SHA256=D959A7285A41A60DE4CD684904279C125B3696D38FAD62F74162E5389AB9AA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:30.761{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C2EDC1B6621EAD6AC23E791E3D0618,SHA256=86EECFF9F25ABDD264C339C60ACBDE5FFE4445C22D77C666676614F9895A2A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:30.364{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409272F3D3F439BFA69D6DC65E023DAC,SHA256=12B4677E6909FF5E0D7B31759DE99996E689470DC6D6BE23CBFE9475A1648B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:27.850{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51561-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:31.773{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90063C741C22D29FE11AFC6BF730F4C,SHA256=F85770A67D75327031E73428BFD1FDC8EEC6566804419A5DBF81D8F325504424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:31.426{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08277084F98059A6ACDFE2489C5DD87E,SHA256=789E64E9EDCE87415020848F3D3B6E9FAF191098CCEF349ADD74E14E9D99AF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:32.442{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E96841877A602670C082E77B85C626,SHA256=0935B89F43D5AC91F6C092C03F3FFD6DA693C1DD78FDAEFCCF9BBECE85B20BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:32.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29140FD911FAC7DCBB05F462D819F7D,SHA256=02C75E53423EDC954BD4C86FA61869410584BDA02D6024628F26D6068E627EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:32.209{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=257FC3BC207D8660EAF664CFE6988F9C,SHA256=1351B8464CC525D7678FEE517A40C4BDD1EA31BAE98080C5CAE5FF586951E1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:32.208{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EF758812C4B2FD05ADAD6696A9406CF,SHA256=2CF6F18161DB1EB17A0448BDB7EA11D711BEE9EC28F092B1D33BB4A04E2BE28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:33.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E38552C1D253FE3327A52B5D51921FB,SHA256=ED00D1E449D92F6CCA484D314C4AD137670367E7B024283FB8F7D98242006958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:33.473{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A98726FF339E8F2B628F64A8173F91,SHA256=066D3D67BFCECB716CCCAA85609B3495F59912331E4F749BC99BA4A073CA660B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:33.672{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000651566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:31.438{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65090-false10.0.1.12-8000- 23542300x8000000000000000651569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:34.834{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812D314AC7EAB25979C66E11E9A52AC3,SHA256=7A27DEA99C7BB59D55B6C2CB050E7561601DD3DA7E661D15EFC108B52B1AF3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:34.504{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40682C8998D06E5DC915E8AAB37A865D,SHA256=11983F1DFFA91A268446BD99018978F2B4ED7A3C11A16B6E37B16CF2D4CE8BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:35.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C4B2DA477CE2B6C332B4120EBBAC04,SHA256=C5039082D0EA2682872706A2B8C56F0D9F263552432950AA08FE479277598B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.504{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EF8F9ED3F537825E4984DD5002CD99,SHA256=EB49BC01F707A35AF9586A490804E6E03CBF4A8394F5254FC09415200EA34CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:33.678{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51562-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.114{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=132F6AC471D021493630428E08FF2E68,SHA256=53C1F6D3B156270AD35D212D8986F52B384FAA4563C0AF1FE4527C3B76B37784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.114{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F52F90ADF90A338CEC89CBF1F2EAEE1,SHA256=FD295BF6C647A35B5B27A081BEC693C177592FC3424EE7601FF7B569D84CD21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:36.849{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FCCB315EF2E30E052069095B12BE06,SHA256=5ADEDE98595074AF1FA086E9E26EC28691603286B19FB0B7B75ACCFB474EF954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.785{E1BD9FC2-6890-609D-3F4E-00000000BB01}32561980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.660{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.661{E1BD9FC2-6890-609D-3F4E-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498B29D69B309E4445FB6239C64DDE79,SHA256=7E432B9E00F9689275FCB111C6BB3AADE2CCD4CCE1A616B55E3F2BC785213EB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:36.114{E1BD9FC2-688F-609D-3E4E-00000000BB01}40123940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:35.989{E1BD9FC2-688F-609D-3E4E-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000651575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:36.461{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65091-false10.0.1.12-8000- 23542300x8000000000000000651574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:37.861{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22DD2B275F7F362B93DD0B065E15AE9,SHA256=9DBE2CAF38F880235569443813D855F18635DAC12AE891BC30461BF195EB3173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.676{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5267416D8DAEC358F9DCFFAF83DE3E32,SHA256=E2B6042043E1CB5F1A5C58B794CBF6759269EAA64B9F2CFDE4415A9034368A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:37.226{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C6EB13C1ABB6844A0CFF5CDE873AC9A,SHA256=EDB29ABA7E58FEDAD79972469EC259A03C44C29E47CDAAF55C81B4C57A2A6C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:37.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=257FC3BC207D8660EAF664CFE6988F9C,SHA256=1351B8464CC525D7678FEE517A40C4BDD1EA31BAE98080C5CAE5FF586951E1ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.332{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.333{E1BD9FC2-6891-609D-404E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:37.020{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=132F6AC471D021493630428E08FF2E68,SHA256=53C1F6D3B156270AD35D212D8986F52B384FAA4563C0AF1FE4527C3B76B37784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.904{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D36B57ECD749CA4FE1DCE12F4E94043,SHA256=D3AB16CE76E06F0EA8C2C97462980D1AD527DAEFD0503D1A4BAC8F76B1F4DE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.723{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF177ECE90F90A820FB61C9BBB68E1D,SHA256=04891B40A404CA5A1E46208347443E843239F69ED0916F8122D0446D232C1A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.760{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C6EB13C1ABB6844A0CFF5CDE873AC9A,SHA256=EDB29ABA7E58FEDAD79972469EC259A03C44C29E47CDAAF55C81B4C57A2A6C74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:38.406{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.348{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B21F89B280D9BCFEF13ADAD87DDB3BFF,SHA256=B9162AE6887C456FB5AB4C16117ED6B0DF6F1FD34F193023D4519AB5261417C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.129{E1BD9FC2-6892-609D-414E-00000000BB01}19522752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.004{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.005{E1BD9FC2-6892-609D-414E-00000000BB01}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:39.915{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A710757E6ACF6220C4C3E4414FEB6F,SHA256=2B54150DFE39FA91343C7C24A15B7D7C97E00CC58B4B8E3F451CC397765421A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:39.785{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6586954B09B0DD9649BEE297A2496F92,SHA256=EADE2D17E6F5320BDFD94DA70F8FB857C4DD859780FE1FA65B3E0E59C3799D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:40.926{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060EEC3E83119C26AD5876241FB7168D,SHA256=F24F920C8182BDB81BC5A01521174A94DACA2D67696FB9D3AD43C5269A40D9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:40.817{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B9A1933F842A2FED99BB38A095BF8A,SHA256=678CA7CE5F57ABA29CF07886D195F4162AC3E92863977D50F3CFCB9A8C9EE856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:40.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB9483C1682F5F64DBB064C8DDE5B744,SHA256=B4A5B1998FAAD7EC52318E5B490AA1490A06F678CB664FE689BE7C229A646B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:41.933{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB08A45DDA3A264D0D85E351426BA60,SHA256=05E4F9C149A6CF0B19F83F8626A5840480A229D4F00F57F7781B08B7BD672D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:41.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E132BA6BCE1F66471E64CDFCDB32B938,SHA256=5716F066C17EDC6D06820610EB9C71FC98F1A1A3FA781CFEE76631BF28C0880B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:38.678{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51563-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:42.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DDC704C01970658C00ECB2CAEA8BAA,SHA256=A36D4E0A563E306CFAA4AB20969802EABF8D85AB0B5CD12D620D94D942213803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:42.852{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ED1694112F1DD7424A12E5F6058D18,SHA256=B9711FFDAD5D73384D8E9A0183F0E3CBE4BCF53F72AE86503B27C0BC7E714490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:43.952{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8634F74860FDFEFB1D4745A958AA5D,SHA256=EC78E30A0BFAD1D0BF23066FD890BC3C6EF2266B98804798EF252B6997ACD903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:43.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7800DC942730ADD7746C34C19113401A,SHA256=287C47ED751C5720B101347BD479A6FF37F330E9F10A9108409A264C8EDBB64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:43.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAEB29CA82B249B6F1C6795547662D9C,SHA256=BD084E384F7D74A0D4732278BCA6B6F70D2CA99AEA3AB356DCF062E59B949F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:44.883{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD437C15FAA3D4F276B456EF68AF3B4D,SHA256=7CEE2C2D03A0D66DF699D95108B8081D38D8E639289841F8C6C31FA8EBB955EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:44.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22ED7E5A4BAC70456ECCDABA6F51305B,SHA256=4071BCF275354C5FC116AC763195FD809F4AD7DA71E2102F4206ADA72E1F5070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:42.327{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65092-false10.0.1.12-8000- 23542300x8000000000000000553315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:45.883{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E165FCD203E5EDB2D279DEA89F85FF3,SHA256=F8DA152CACEE32F5464AA70DEB156863DCA943904C9AF92BBF23CCF7600E0F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:45.970{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BCC4662E2C18B956F47C0449EF05A8,SHA256=C2042B6AEE24AC865F96DED6865FC5BA52F5DD460553AF7E9352E31842D020A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:43.729{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51564-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:45.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663D009919B1129831F047DA14297F37,SHA256=810AE4E36490A2B15C482485D618E7ED43F8EF3FAC9F3D6EF375AC5ACCC94F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.982{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D4BB12B8654E38B1B6FB7F17FF5539,SHA256=E3B1274FF469B9076A420026638F87886AE5398899D518F0900B7150B94877A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:46.914{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9340BC1E4DC2D82832B3AC835C0963F,SHA256=D390A8FE473A815D8533B6A98A3D74679FDB64DE700AD6CD75A9FA203248ACD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.823{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.821{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.821{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.820{7B03F3B2-689A-609D-2C53-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000651625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.282{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:46.279{7B03F3B2-689A-609D-2B53-00000000BA01}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:47.946{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8481CD84792CB7F05FA46C4DE1E688,SHA256=09F3224BCB4AB9215A94149250526A009F41DA80C9816C0BF703CDD7B620F39F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.503{7B03F3B2-689B-609D-2D53-00000000BA01}19168076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.350{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.348{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.347{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.347{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.347{7B03F3B2-689B-609D-2D53-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:47.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA622C2F9EA51E07777418F38C2B5C44,SHA256=541F4EB4DDFF6FD8F967D9CD6224B182717261BF1822606F2455D658791F2AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:48.961{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3467ED4ED4583A44E973718BE1C110B7,SHA256=27F7644AF04F6A82BE3BBE9E40D5967B2A6EF95E59503882BBCD6DBF49F5F7B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.625{7B03F3B2-689C-609D-2E53-00000000BA01}9044024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.451{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.447{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.448{7B03F3B2-689C-609D-2E53-00000000BA01}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.356{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EE8BB118CE764E13BB03470415B244B,SHA256=CEC553C0941CA809C3B8500C1498D163112A9404FD14EE62EACEF1EB805175A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.006{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DE953EE075EC9C9B971D0A9A19FAEC,SHA256=5E9124AF2D36EE4CD9F846C07313FF6AF800C5A7F85F5DF74222A57E723EDEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:49.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B0C41DB57B11E907181B599C3603E9,SHA256=BA95655E311AA44D0189FF098CF94C4A88A0A2757573A2BD5A8895EA355CCD4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:48.285{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65093-false10.0.1.12-8000- 23542300x8000000000000000651666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.456{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EDF7EE6339C8508A0AFB9C08BED4716,SHA256=78C44E46033470A4F239D838E50D6A7584980A50BFF0618062F0F21583168F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.328{7B03F3B2-689D-609D-2F53-00000000BA01}76447376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.147{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.145{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.144{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.144{7B03F3B2-689D-609D-2F53-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:49.065{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF25206F213ED3ABED8E031B46D0FB03,SHA256=CC55DFC39D22376D57047A08A59ADE0174BC7E721A384D36BE70B841C03F7D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:48.776{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51565-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:50.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E946481540A6E3769E1B79E95C5B50,SHA256=7BA3835FC7F878CB9FBDAAE87F76864DB1B6D73964876D98899870824BD87B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:50.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A301E44FC6BEEFD5E960066C3D3EA3A,SHA256=D02A0E10FFAA0C9B06BDE2BBC5FE7FCDB6A582C64200CA149004BD15B0B9559F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:50.071{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E8F4DC6A18C8E9067AE17EA0F8F0C0,SHA256=D3DBDB1497BEA8C8EAC86A76D9DD9442D3C3B5F37772583059C7280BD9D05DEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.960{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.958{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.957{7B03F3B2-689F-609D-3153-00000000BA01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000651678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.340{7B03F3B2-689F-609D-3053-00000000BA01}44204340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.179{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.176{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.175{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.175{7B03F3B2-689F-609D-3053-00000000BA01}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:51.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B522FD6281B1543339AA0D375E20A4,SHA256=A287509B0C993FB4D9C29C1D9995A77A16C7145E0206DCC30FBB1FF47901682C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:51.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092DDD91B7553544FEF9137ACD14EB0E,SHA256=22FDAA3FAC3ADF6E9BC714399BC28CD77EFF891941195A67BEB57CD62FB3BA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.872{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=19A2416E9619B0A39C1D1FAAAF22B257,SHA256=F235DAEF19539DAAAEF394A10A6EB3D392C47F06713B1FB8EF57D5167E8BD140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.411{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3FA65E4FFCFCC67B2CEAE327420729E0,SHA256=24429E696AB2A1C4FA0D7E9BA07FABCF999D5BC66F06CFF58312B5D351430732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.410{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=63F8D0876E5D37722C2544B827B22162,SHA256=819BA11C4D75BD59947211E7E84427102D3373C6E019B9849A43C1F84423C959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.408{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3CFF6B96AC3A539F304BF35B63FD0DF1,SHA256=DA495EA864F058CD9F735C3BFC7C39DEE7E37651545F3E75ECF9FB5EAA3D5F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.407{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CE42040BFEFC1826946B95C20C6F5A36,SHA256=F7ED886C1A1454869BF8268AA970A72A695324346492FBE5AE6D38EADDBAF1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.406{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=32A40D2C8217F2EA6BEDE45584C05798,SHA256=16DD526F9D96F413CF4B81DB0B5E149AC38B7E934BC69454FBAB2F8FC9CB3AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.405{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0BAB0528A2AACA4BD40FE3A489056742,SHA256=1B4619C375F8B42CECDC46F78AE1FDA8803A1571E51063142D9750E8DA13AB28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.404{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7374FC25284F854FC2EF90B290A91E44,SHA256=78DF10BC5AC0A5410009AE10504A4838775FE6BF20B2416B8429C6D9A83F9B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.403{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B0CD890591BD50F6A9E0FF4F94285DCD,SHA256=52944146A5A3E8BC9A5284992D05646197A0E8DE9F9112639230BC95488463B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.203{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A5601099EFE0294227EBA5B4C37663,SHA256=BAD6CB45757C6EDF95900BD339B69BF75F8DAA46CFFE93584726C3F83249C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:52.114{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70343A36838DB1495671DD885AEA8A90,SHA256=550861E34BD40CF1A57ED12C6D3CD1CE2F14E53ED76988FF9AFFEBCB95430A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:52.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A0367F980DD40BCFF383EEB274F53A,SHA256=A83730B220B86A10A5526347ACA69F70D56DB009ED135BFC4CEC7695F3971A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:53.009{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6176AA2DA1C924BFC3ADEEFFDD3189C7,SHA256=CB0F627C71CD2DABAFF520E806314B307E22A244DEE88A77D7FF4E2CF0DF47B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:53.124{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437485AE041594912838DC90FA5B801B,SHA256=C987666798B9C28BB46636F8D32E5AFF19301A2C160F5751756AB6FBCBB4A9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:54.058{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743AD8B2269A45E69B2A78A39BCBF5CE,SHA256=32D498C7B455A95D8D82C76DE411E6E0ABF0398E1A9787CBE644E39B84582642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:54.130{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8AFC70ED3E3D06B2989803E62024A23,SHA256=AC9E8D2B9157A97F4EEDF5A88B724E6F606380BA78E9E4DFBEC8FF890A3CC80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:54.129{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA4A2477BE391D7D90C6EB0DD30D937,SHA256=A5350CEE342B505964D5F2B5995F01553AAB88B2B1AD29E6CD157D20EB67EE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:55.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6008D8C81AB59BB123B5F168C0323A36,SHA256=845D3D2DDF087525468A4A448786C179A1BBA00A3D9BA8686B342206BFFC846E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:55.137{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E946481540A6E3769E1B79E95C5B50,SHA256=7BA3835FC7F878CB9FBDAAE87F76864DB1B6D73964876D98899870824BD87B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:55.059{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D320F0B312986E445A3A8C8D187E0F8,SHA256=B330E25545BCC633D7BCD34D74D3117A070673A333F3322C239EDB3F6F80C2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:53.361{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65094-false10.0.1.12-8000- 23542300x8000000000000000651703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:56.143{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2021D42F804ADF0F1FFA678C2FA90185,SHA256=7F09CC49F7E843E5E136C9AA7E2469FD9F51F8F7F795FE08845EF3FE57F5FA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:56.075{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828083796BFE056CA27CBF159B3062E4,SHA256=62266DB982154F917A167E23074BF63171777B9A4234AC70459057F231B48EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:53.778{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51566-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:57.147{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3B461651E5C6416210BFFF1625F6F2,SHA256=06F3BE329429A74BE3BDB1326E2F88C7F9589C009C5B5BE55AEE400005A3EFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:57.090{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A6D8E225213BB4BACDB2DE2C8F31FF,SHA256=74E6503E5AAAE9E48DD19244B52ADCECEFE6E544590AA124241089E4492807B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:58.106{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD83A88E9CD4FE22047301AC50471BC5,SHA256=7D706F29BA84C7C5381D73172351881601B820BB53707E3ACDE680E2A435137A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:58.718{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D2E1677B776C02E59BD7C690C943F92,SHA256=222D9318D3E8546D07D6848216D1C96858078A7EA104448DA3D090BB0C582ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:58.158{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D2326D271C2A6DB246210F586B8793,SHA256=C547AAD929115B76676C8474A47A7AE18387D649CB0CCE14226B6D1229C4FDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:59.121{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0AB755C555CFA4D00123FFB89F134C,SHA256=65F4F4A4ED74E9D5CB47AB6A55915782E710316A1AE5E739DA934287077D8235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.313{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9F644392C9CCCB8281FB63527CE54B19,SHA256=74831CB0EDA2B0F2885D944CEFF65F45C9D280D97DBDEFBDEB5FE33BD08B7EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.311{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4197EFF7F28927B9EB43FFEE86AA9200,SHA256=CEA47C3462704ED4984CAF6D189FC8614438FDB3113A2E69216C96EDA57FDEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.310{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=74020A9608C8BA2AE05264B8F86B6F79,SHA256=731BE1568D0ABBABA48CEF9951D12D00B44D2F9E9D03053A4D53E95957A70869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.309{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6701A18602DBE22B9108FC890A0A614D,SHA256=E3EDCA0A8B58444B5C8E11A708C0261E13CC1475CBD539899664634A9ECD2FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.308{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D4E9E58693815B86F3CB0EADDD206380,SHA256=816C1B600D14D4DDE61009E9CC7AC03BE9EC34AD1F055FAEA1834F80CB44A276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.307{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E60F45E220A2118D350E0315A98987BD,SHA256=AF844B91EFF9E07F6E9AF25595CFDE49AA30BFE25ADDD974ED8B546C3E4EEDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.305{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6D2288827779DA59077CBF7B956CA836,SHA256=A90C5C8A57C36588343EC95C73362C8D2CA49A9953BF33563A5929B05959E449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.304{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BFA5D6B92B45884A3F23D2E76B8EB3C1,SHA256=985614CB856BC7A90CC4F651C23D8A8E193D63D666EAD8792E12F6AF3090807E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:59.169{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F64F4897566B47B39FC81999D99054,SHA256=80F78157128B3A0899D9C0A06A496E18AB2E4157AF6C28E75F5BEF00764C587B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:57:58.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65095-false10.0.1.12-8000- 23542300x8000000000000000651716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:00.184{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFEA56039E2B05CB5A048ED0412D93C,SHA256=C2D86D9CFD586F5F5A68ABE1AF367CAEC4C554C06734D640EEBCEA67A4734571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:00.340{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC91E74FE93E86A87E8C502C0ED196B6,SHA256=1C24C9DE188C8DD9E6E08468913D5B934D414B70450997DC088D90FC24806609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:00.340{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B113D584205B0A39A171FC3BD82E10CC,SHA256=FECBAB0B09D41EA74A7674E4AFCA269395B41956EBA9B4BDFDC2B3BA6AF47477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:00.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD40F5B2C71CFB34AA08083229FDEE7A,SHA256=62D6CC4F0C39618AD14576E961CE43579198B6B150E771F34E9E2559ACE295D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:01.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414AB040E5AF01A123009C3BC1346DE7,SHA256=759F6B534E98ADC8EBD9C3B7EF600A4A2377FBE7A2060168A7CFF559EF09A96D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:57:58.827{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51567-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:01.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6F1660478B212D73206A5BD752ABDE,SHA256=3904162DB79FFE17BE880B4F15AE67F767B23713394A821C7030CFA60D942B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:02.210{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40358B30192FAB7039933E915293DBE,SHA256=E7CC4C983472E73ACC210F8FF4A21338D3D2D7B36B82AA23F0B70E6CF8F6D671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:02.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412078D61A8AA01F9F899C6BA3B34E6D,SHA256=20516E8320C9DCDC574676E81406F1E7002FFF3DBE342B7674EDB62F837E7DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:03.728{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B1574700E05B00DD2F11CCCDCED811,SHA256=96A6EB004779E8086FFF1374452673657D9DA8DDA998EAA69FBAA4B9010E9BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:03.727{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F80D1D6ECE82335476BAB684CB62A125,SHA256=CC394C2572FD5F9CF5E8BB860C1F3E92B8509AA14EB5E52F0AF6B3236B81EEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:03.270{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A69A7487A2241CEF50438E3DF93549A,SHA256=52F12F44FA30A479AB79423017F36EA8E2F81A045E455DCABD77657BE7BF923E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:03.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D26B477DC83BF8B850D87FCA1818980,SHA256=F59D55C34D5673343E658C98336C63433A544B4C13EABA4B4B3894A88F0BBEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:04.286{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD748E54C8DF1750779813216C8B9C7E,SHA256=528F0D8933AF119784E935BBD22A34EE78CEEBFA43806ABC6903CF0637A70CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:04.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB35C554B078E3D228F443DF5E078C1,SHA256=DAEFAFF07EEE2669E88DD5848D67041A2B32DB35BA1D760D95597EEAB4D56133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:04.358{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65096-false10.0.1.12-8000- 23542300x8000000000000000651725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:05.295{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CB94C80480FEB16799B02BF74CFFDF,SHA256=D405E505D013302F1FB89F3064EB92E21A3B505F77D60A2FB3C9354C0DD860D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:05.232{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC91E74FE93E86A87E8C502C0ED196B6,SHA256=1C24C9DE188C8DD9E6E08468913D5B934D414B70450997DC088D90FC24806609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:05.200{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FFBE6D1BD6CA30845D838D74F885CD,SHA256=4FBB84F645112B1F31BBF32F8D00316DBF61266EFE2B9A4C447092A42D385C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:05.133{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B1574700E05B00DD2F11CCCDCED811,SHA256=96A6EB004779E8086FFF1374452673657D9DA8DDA998EAA69FBAA4B9010E9BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:03.859{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51568-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:06.216{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DC41A56E4F152D89DA247CB352E392,SHA256=50C2D66D752EE3270E71BD959E53AFF9DCAD79F2AAA0CE794FB4550830279BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:06.311{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F45FD8C0342DDC8302BBAFD61C524FB,SHA256=B5E918772A701E6FE2B0F25C9858431B3C380CFCC0FF47AFBC4B7CB3D54EC49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:07.232{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8512D8D2017FD825F54F8B376260A2,SHA256=10383F78E55D780CF9F08DB803F036FD3FFBF753672A2B3B15445B386DB97D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:07.318{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4E674B1127FDCCEA47D25CB9E03932,SHA256=9B9E3ABFACD78A1BBEEA8B22508611F4A76EC4B8BF6ABDCA9E20FFDEAC4DFD6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:08.698{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7552EB87210A835B483F6BB59D3ED6C3,SHA256=2D3C45E704AF665BD4B2868011555D273DEAFBC4983EE9F1131DBB6927A4C36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:08.322{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F24AA364E2603FA3F950733727E760A,SHA256=B9DABAAB3142D1A4A17C62B591677CC7FC00C806E583F2823D03332E5B2F8B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:08.700{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ACD62475794E1DC248C6E488D3B7EC7C,SHA256=E3C02AE6DA32911861C64FCE2D03DB3E939376243BE9F11CBBB2FE0364831639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:08.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EA1CE0B894A2988B5F79E46420126,SHA256=E4CE30C464EAB109753DAF40F33E2C627BDD0549A29E892E2465D55EA92567F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:09.279{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FF7462447B9E1F87516A4782576A20,SHA256=0A9D0F5C6D820470ABC36668458A3CAD319AEFA22AF52C19DD17BF3014534F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:09.330{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5DB3CF0CDCAFB74384065763C242BB,SHA256=E81FF16112FC5119D3C65B2E52AAEE774DA46A62A9AA4FB0FA05E18608C06E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:10.294{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDA40BE2F4C2B93C1941FB08F70A074,SHA256=19470B13673A135C9C04ED67056BA3D9DF65E7E720025DA0CCBDEBB02420EAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:10.340{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E61A996A86EB4B6702A96100B6C470,SHA256=3A1A2188FDE2C581728F642A18CEFB81E0DEDA0312E8E7BF0DEBEF7B86D2184B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:09.749{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51569-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:11.325{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6008F74A92332117BDA60B0673121B3E,SHA256=E76A4B3AEA587343189BE1D698BCE94DCD7743960BC587C129D7EEA1C9DF63C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:11.325{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=565637DE58C7EB5EEC0A27153234FEC3,SHA256=0632BB9E551AA1585B895D7814897ACE678ECF0A0CD7C2D1E257C7C8CF66BC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:11.294{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DC5A2BC991CF46B66F99B67AFBA8D2,SHA256=88FB1E7D686BFCD252B95CC06AFBE28222A41282E72026912B2E6ABCFB7AFB88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:10.307{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65097-false10.0.1.12-8000- 23542300x8000000000000000651734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:11.354{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC2FF690352A3CFE9AE854E37F10DE8,SHA256=AAA7971C7B54C8944230A93B9E846D871F601ACC9014B10B4A7DC2B431065D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:11.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D7C50E329D5F09E5FE586E0047AB140,SHA256=15C8013316862DA46200E80B92DD56C74605A6B7780E2996E2544EC51C6CE8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:12.376{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B8D6C8543CE2A8B770950EB1120F1E,SHA256=C6036CEAE7E4C6FA447F6DFF781F4E63C652A01109945586FE260884AC3734BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:12.294{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50609981D96232C57539F6DCC9513BA7,SHA256=CA795CF41A5E35DD2CEFCF521D55D0B9DAF1A6E54887B709036B2057E1BDC0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:13.389{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D769D93A86D53DFF762B488332BCA81F,SHA256=1C3233133E87CF8E1BF4DB1978AE93D826D64AC145CCCBCA04FF4D86E15EE0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:13.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B14D301C37B31AADED9673BD74F0CD,SHA256=BADAF83A32E7E9A6586675984EDFBED3291F35308F9445B5FA8DD1F374D7ABB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:14.397{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070230C7E894E9119D1E28E89CDF9B21,SHA256=2591FF192D333ADC0F75C0CE4221553D8537CBDB1A40DF52BE852549C329619B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:14.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2AF8E1C973439AD72C31E10BAAFDA2,SHA256=E1AF80A2DF4679FFF5D97FE444757027AE5482D7A3521EE57923915F38A8F1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:15.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F2E5F627B267A2DB839005FC0D61B5,SHA256=4E8C53F319BCD033B3AFAFBFB9AD523CD0E9AFF3A3BA5B0AF9E406E05AD9ED95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:15.357{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9F9D70697FA6E52011ADF749D2B023,SHA256=3B78A83E93A7E47E4B35241EE8408A9DD9806C6E4E9DE57BCEC3D60DE456EF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:16.454{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB89B55D906FE017E7A09347D9C95D3,SHA256=7E1B0396B8C9645AF81FB3305D529D4A1069D1F8557B96C34E852FFFD6EC22B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:14.812{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51570-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:16.372{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF1B37188C27B947EC35927107AF92F,SHA256=32B6630F0D88C6B360534DB4992ADEE3E13A3141D01FD9E80DA0736DA82E4014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:16.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28DF47F8963AB83A86012DF560F07B65,SHA256=5435C5356BA089704B2503DA5E3C25F3B6EBF888D3AF828DABF7E080A3C030A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:16.122{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2DA36AFCA601FE712772C5077D9E12E,SHA256=C949A9D34744A21F982797886249845D045D58BDE0E60C41D29243C263EE0E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:16.200{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6008F74A92332117BDA60B0673121B3E,SHA256=E76A4B3AEA587343189BE1D698BCE94DCD7743960BC587C129D7EEA1C9DF63C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:15.355{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65098-false10.0.1.12-8000- 23542300x8000000000000000651743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:17.468{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2635E5FC738B160C15E0DD7FFD74FB,SHA256=4D700D720BCA1B5CC21210AC62AC0761D48A83CCD34A85AEB95545E47775E099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:17.404{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0F5346C72E96EEFF6FF20DEEDBAD59,SHA256=79F56C248D9EA95102F682F479BC9426E521C4B7050F0EB404D9AEB79EFAA907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:18.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28DF47F8963AB83A86012DF560F07B65,SHA256=5435C5356BA089704B2503DA5E3C25F3B6EBF888D3AF828DABF7E080A3C030A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:18.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66386F623C76D9241FFBC3254BBA1F3,SHA256=3EF1C22B8DEA53577C7096170C271A25F9A6095584BE59EBA4415286BCEC71E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:18.404{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CE83B01D2CAB5076B52717C7299F48,SHA256=4F370E75AE4984A4C53CF9A01DB85E75CBDC0C0B469518462DC1E3822683D34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:19.419{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6CAE82B8C35699196D03D1FE3371F3,SHA256=261DCBD78D013A219858954DB05DF7550076026BAE7A1EFF7877C54328300BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.499{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D4F461C6798CABBC0B5BA932B41FDC,SHA256=21E29685150642507CFAC099180763826B58656D29CC8671D70F5AAF5CCE685F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.381{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AF5B9642F3A6DF02A0B51D41E61B9B71,SHA256=58799FB4D26047360E198B71E243146BC67EF77AFAAFA61699CAE563A1B4022E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.380{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=12C2451F5536A784DB80B0F6E39EA11F,SHA256=9E00F13CB7CB0F5D9D79866E8BE12EC577079F111D6C8FBF8B87AF0B5397AE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.379{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5644CE059FBF21F30E6A94F7EA223013,SHA256=03FA6CB067F2D4786BB26494A7FE797E1288A3CA66C1EC89F3DCFB568804CE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.378{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E36FB4FBB89BEFF86D93B5709A1E8E9B,SHA256=A18D23FC6B8CBD0AD3EBA29F85BA605A82837C8F6FEC0FA0595FA96F8C77AE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.376{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=68AC10C15C7CB890FE6B470D9C82357B,SHA256=A967954E44C96A592BA7148ACB06193219A3D4D50B66646577EB7D865F54C13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.375{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E93B9B257221493751259ECA55778B63,SHA256=507B585E5D6C2F97672CA7014FCE7100D591E6E9B5C6453F88037462C1EE9ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.374{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F0FC8B0606D8F6EBCB0D6297B088A25E,SHA256=99ADCBFCDFF3E73CE20659FB0FF36B439D74B6A4EB1191EAC096F4733BE9CF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:19.370{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A78DFE539A7C66C286C342430CA5F3D1,SHA256=CE3A92004BC7D4BA0FB2EEF7BB642D98922D79826F3CB2EFE762DF2E4EEBDDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:20.535{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA4A814949164E48420417CB850A0EE,SHA256=8BAD57FC73C21C22CE3003DEF3E9F5C438A65C335D446FF767F5C114EC60F8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:20.435{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911811307E9D62110AF490007DB5FF84,SHA256=092ADD00FE0E2E852993B034B748C43229E9AE34B1660EE603AFCC3AA3E20857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:21.482{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D933F3C8E17424F59B1B9CE85AC7E36,SHA256=78795012D65FF2B35E479A02C024CF6A306F9F5E261166B5E6914C8ACB558BFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:20.393{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65099-false10.0.1.12-8000- 23542300x8000000000000000651758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:21.548{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477F2A7552CF5EE04A677DBFCED69228,SHA256=6A0312A741289B1F74A84D41F1627D85212F546181439029BE0D0B9042F23D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:21.175{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29652026B35491AFA74B9E2832FBBA43,SHA256=7FCB67A157FB7E57D2E9F46D3A23C8A55B743F5FD935FD2036E1E5BC9FD0FF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:20.749{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51571-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:22.497{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901349B697F563C40F8D33761FED3F50,SHA256=3A07D216D00F15D33E65ED6544B468E770DDD9F8F81FB8212DA7792276F1A3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:22.872{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:22.564{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F1D277CA3483F5C33D5CD7E64D91E0,SHA256=F0DBE3AA3EE507081114B43C9AA365050C64D9804F133C4B5687254B3518603C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:22.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49B5B01B6EEFCF627B2AC3B7A4B679A,SHA256=0710FB5B6F62050D471677BDE2CD542347E79E72CA9C2F3D30BCC21CC21C28AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:22.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF08D685D2152B667028F2C6769C8BB0,SHA256=5F37BD40E8FF2FFD41AF96AB50E1A81C5BB0EB7972EF3728895C3A9FC76FBFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:23.506{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B827BC6B9ECBB2F92F4D8C490ED583D,SHA256=7E6EFB5FD4DE33F34A8733EE18DEEFEA3B9458D81FA48A6504430DC72DBFECB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.757{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876746DC1D3BAAFB241BE57D429CA614,SHA256=EE4095B6507C06A06DEF4594B4E9A344BF268C862CFC3ADEA3386CC13F42ABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.573{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F733471C851838A530BE57FB2EA4DD,SHA256=33F389B6C058530E78BDF7A61DC7F655514010B14AF47D262BCB1A2BCE350D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:24.588{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85447495726B887DAC056FDE5C4E19C,SHA256=6DBE5CB208A0B88DD04A1B45885A27F1BB9A1EA721DCAB17F9182FA9C8180BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:24.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543E14C0BD8C94BBFBA93B7705669400,SHA256=E41FF71E8AEC32B9120D109BF6E25942661D8DA18CAA976AEDB32FE25FA62134,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.534{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65101-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.534{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65101-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:23.084{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65100-false10.0.1.12-8089- 23542300x8000000000000000651768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:25.625{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C561B082C2090784F5D2D062C790BE40,SHA256=4DC44342E208447404670E44A7166B5937D0104C59712DAED764188998F99823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:25.569{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920624CECA9F73BD8D26F795DB86D064,SHA256=E09A950BFD799E93B585CBC89BC30AA7DB00AC36ADCDCD2E2D2010C2FFB8EE66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:26.629{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9CA423BA9FEE87A8646E7CA10F5AFA,SHA256=1B63D58533501C656F4F7D7038E628276AD32EF048F778B523973BCCF4AC5E2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.756{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.757{E1BD9FC2-68C2-609D-424E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:26.584{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FBB1A1A61A650223405D37677AE777,SHA256=CF11864DC146D79941EB304286F985034311F49E2AC48F07234628B200AB2562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:26.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF759013B3807CC4EF1B8A996993960B,SHA256=644695D03ABD13F93BAB4FCE00DA88F0A849B88D658F086F22CFE2EABFF95D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:27.640{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE0631212CE65398B84F2CC3989F91,SHA256=421F19877FDA95F230B05FEA8EDDFD7B369D4F2A82A0265FB17954BC0A692DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:25.774{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51572-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.741{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A3936F8089BD96C914BA38B9EC5A62,SHA256=B6B8CA47607B79FEBEC795713944EA45E47F1B51C51C50A2AF6311537DEB6641,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:25.442{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65102-false10.0.1.12-8000- 23542300x8000000000000000553402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.506{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.381{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.382{E1BD9FC2-68C3-609D-434E-00000000BB01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.241{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49B5B01B6EEFCF627B2AC3B7A4B679A,SHA256=0710FB5B6F62050D471677BDE2CD542347E79E72CA9C2F3D30BCC21CC21C28AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.975{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BECD4792FF5EDF44263C02955A100BB,SHA256=A18725E82C87BB9ECF8AA24E06F2BADB229F12CCC68CD7A3029CC4500DCC6EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:28.649{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B0D8BC5796A15F8A170F4E97CAB01B,SHA256=7133A5CC7A4617F4D80C3D442FF8E4BCAE29868AAFB88A8EE29FBB5C2BBFAC45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:27.133{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51573-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8EF254464C9F08EECD51A7220D02FF4,SHA256=96560B79D6A4D4B66ED6978C7863277E09C861AD8AA2AE23B1DC7414CDC0D55D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.178{E1BD9FC2-68C4-609D-444E-00000000BB01}908828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.053{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:28.054{E1BD9FC2-68C4-609D-444E-00000000BB01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:29.991{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4283FD406302948E3AA423AA9B742C,SHA256=37C797DCF642C24B83BA5ED30F1530D9AF0A50F619B00318B812966051C1A94A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:29.655{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE7D3F72DFED9AD475935D42C096395,SHA256=842ED4DEA6C0F84EB1F4B4F368A25AA9CAFA5CFB8B4753C7F29C67645692C3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:30.672{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D87F81C8E1BD5CA975119BC863AC96D,SHA256=73DA0E97ED831C8BB5D76B1C390762893C64C440E86706AA6C13CAC476C1A224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:31.697{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2DE79840BD15EBD530BD559F54D3B2,SHA256=6DF4681227ADC23FB45A66D756A3F2588B48775D0302247C3B27C6D0DE403D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:31.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549BC964964AA3D896A4D66DB6D6B13A,SHA256=849FA0308C2838C5309972AB106BD642E3A99C899288A95E797C5ACABBA2A906,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:31.324{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65103-false10.0.1.12-8000- 23542300x8000000000000000651779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:32.705{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10E44A0C8B5C1AC6C6559489B45626B,SHA256=5BC6822751C1905FD2A8EC4F860A7704B5A977CBB0FF2F70C082565A2B0B152F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:32.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D970B195A162D9C8B9B8DAC0F344A6EF,SHA256=A037A8DD737FC8A5937544EF08F81BE24EF13141AB621A34EDBBBCFD86DF73F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:32.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066E00D381FB1E0755368C984E63569,SHA256=1A7F8E3C3BB3B410EBC256E97953C77442F7375E199D8FFEBD387D75577FD17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:32.092{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932A5168A066DAA35B0F516C542BD972,SHA256=28149A73F766E8B06A38D69266F63036BFAEA12B71531D2AC29FCA216F31596D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:32.091{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F378BCF98828DD7BBE98D7DD308EED43,SHA256=EDBB2C4B462164FD642554F1DF0E5F6531D686E0EB0D9AEB3593E623EA558163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:33.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB51D3106B54B24BE8FAF002DB09448B,SHA256=A5F7381A1A97BA98D3A5476503BD03AEFD935121A803042349EB9250E9AA9AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:33.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E57BE96EE96A46439832F2C3B68542E,SHA256=FDCF8816BBE6039B018DDDFEA832759D0E7BFBD833B4E4505975D8DF3723BD65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:30.774{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51574-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:34.723{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1B7C8E968F81878B27B035CC0CBD80,SHA256=016D88E98429A4EE233AACF0E83548851D3696529A5713F06387B93AE8D14C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:34.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D09B4578EF6C68DE11C525B2B7DBCBB,SHA256=E0EE40B7117ED23313EF6DE60920EA8D4D177FF7204C7D483C3486F0E6D6F8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:35.731{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D2113C594F04CB22CB59594189603C,SHA256=8E4AF65C7C9F7C10A80B86A1CBBFE8E7FF90EBA01BC539CE6725058ADD761683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679A0946299D0B37F27481A72E293617,SHA256=4E74ACEF54CB649BC7F8AF6E6F24EC14D92BAE5C16228CDD4351D1BC3AD370C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:36.764{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DE32BC44143A15EE844479D30D6ED6,SHA256=2D5B694B70B447361D20265EC104BBE58B462ED137108B54FECFFCBF665DB20A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.615{E1BD9FC2-68CC-609D-464E-00000000BB01}2052820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.490{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.492{E1BD9FC2-68CC-609D-464E-00000000BB01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.256{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FDB4AFD7233A88381C1A7DE1BE6356,SHA256=DE1B2C846CC27AF8751B69822D30E0557E0A4F9904115A2DB4BA89646C86F828,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.115{E1BD9FC2-68CB-609D-454E-00000000BB01}38401876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:36.006{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.990{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.991{E1BD9FC2-68CB-609D-454E-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:37.784{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20D4B9649CFD8F3C00FF53588F0DD02,SHA256=C61BC09D062187D20FB05D0C642995C0D07803E103B50D4FEE0C9E055860F426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.834{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.835{E1BD9FC2-68CD-609D-484E-00000000BB01}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.631{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89554617EF1C6D61BBD696F63DE19722,SHA256=7A47D3B324E6EBE71498E5FE2172D6E56C85957C3E35F27ED4687B9DDE8E037E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:37.253{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3371E14E74907A80F1A82947CF43205,SHA256=C321E47B5C952086B777DC50763F1B36EAB27FFC020C9464F2397F51243E3562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:37.252{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932A5168A066DAA35B0F516C542BD972,SHA256=28149A73F766E8B06A38D69266F63036BFAEA12B71531D2AC29FCA216F31596D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.287{E1BD9FC2-68CD-609D-474E-00000000BB01}29323560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE55DB45C835D09FBEC81AA51BA31C5E,SHA256=12E039A7CAC27CF4AD540F57B608149635B786042146EF6C686647DEFF46E1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8195804715B147CA2721ED798596E1C9,SHA256=F5A63C68BD86246E5844B4A6DE9CBA75D8ABE3CBE893F9CA4D287783F8CDBC58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.162{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:37.163{E1BD9FC2-68CD-609D-474E-00000000BB01}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000651790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:36.482{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65104-false10.0.1.12-8000- 23542300x8000000000000000651789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:38.797{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4A17AAE32F046AFA581C899CCB2A20,SHA256=698601A8B2A8E5DB0B1D499E7F47B3FDB5A01587844473A815E28FCA550C1F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:38.647{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7386120F2B9A15C08B3C9EF31EB32E5,SHA256=FC97BC8A4A269B8B4D6D2D54C5DA06E2B859FF673D67C10ACA33BDE984538551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:38.751{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3371E14E74907A80F1A82947CF43205,SHA256=C321E47B5C952086B777DC50763F1B36EAB27FFC020C9464F2397F51243E3562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:38.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE55DB45C835D09FBEC81AA51BA31C5E,SHA256=12E039A7CAC27CF4AD540F57B608149635B786042146EF6C686647DEFF46E1E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:35.810{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51575-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:39.799{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7889E66EE3CCAFE4D61282FC1673E554,SHA256=501B447A630918D1A9B8924E565EFF668A69848FA30B5CDCE7AA35ED55556D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:39.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA50FC4BB0F3E547E359756BE8F47250,SHA256=AA24EEA13088EDAABADCC8C1711ED5ED16016D0DF918D2779C29A108E5D83D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:40.814{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88511A5A74BEF7C7E17F93C6A686DC4A,SHA256=1F8A0BE3E2451689C2D7A79A269A8B48AEA12AA5259924BD21F21691346E450D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:40.678{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63474E7A533A42780A7EF3C3D1600535,SHA256=6F34DFB79E448B4E709F53D501BD0FB9C16953C74934BB14EC518A9D82A68717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:41.832{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120D48271EB70B165E50E36C01437131,SHA256=351468FFB2A21443F1CAE30BB1A944A2B163B2B6B873FB00304C37D5014FF8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:41.678{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49373893F88ABADD72CB1494B098C65F,SHA256=875FD4857ABC19514B7CDD66EDD23962704F28819586D8E97D9865455A7ED26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:42.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867ED27AA0EDEDC936E581CDA04B1C0E,SHA256=C6518D91D98F08311725FEB87612A7D79C0FE7BB2ECC052AB8A43CA0F32BC1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:42.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45912B2685B5AA15463F6AC861EC357B,SHA256=581B5D702414A9455CE17734B129C382140695D66C88B0512E3C698A90033867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:43.859{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3584E8F0A818E77DADCBBC49E077CD,SHA256=8662DEAA104B34507FD385F6E3153F3EFFC8B49E0ACAB87C54E1CBF154A7B859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:43.729{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F45E10A1F995611B4614DE25EE0FD83,SHA256=A9B718A549D9FA7F1BDCDB1AD8A2110BE6588F61CE210317A3FE70C410D93289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:43.238{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8662FA9B53C027B75FCAB77F78161C19,SHA256=9AC34DB02DA72C2EDF4A0E1EF4A9E4E410A4F9DDACAE65BA5DF643502E2C03CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:41.727{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:43.167{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D9994021E0F61BC8122F136731AA90,SHA256=B47BBBBDBBEB28D08F5E440006A431E49E6669971148006B591329339AB4CC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:44.866{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B743D7AF070C6D22E492B7ECFD6FDC9,SHA256=B73F227078F0B9285B853EAAD1B833D742643A0BD39B4A21593624639820FF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:44.776{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52CB03BDE97F2CA90FBB29BCA841F95,SHA256=B09B10FC913A4F8CA67EB89FF6EB06DE4E4D9F2F745D614A3185E107649F7A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:44.479{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa220025.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:42.468{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65105-false10.0.1.12-8000- 23542300x8000000000000000651800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:45.877{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F11A9B80B4972FC64078DCE84C6E88,SHA256=D4D349B48D2C5065CDA9725EF2A9D6C14C93E7FB8F4ED7F940807C02DB8080FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:45.792{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41F601391E7F14BB396BB40DEEFBA02,SHA256=541B63600E00369C0392DCD46B924DCE73CB8019FC731E1FCE9367BF0DBB7D0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.936{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.934{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.934{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.933{7B03F3B2-68D6-609D-3353-00000000BA01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.885{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668174E32C798A3B45F4A430102326DA,SHA256=AE49CB20191B603796ED9BF0D95409EC5C1F9A9F726583CC18F06ECFC9500952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:46.792{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BB4675EB0280FBC24B1B6619398099,SHA256=BFA0267B772C93ACF8A76B8E412113A96352330C6829D6565A59ED5718437897,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.256{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.252{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.252{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:46.251{7B03F3B2-68D6-609D-3253-00000000BA01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:47.838{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E151A1324217D90A87A164FD3EF7A4A0,SHA256=DFD57EB92DE5F91205DAE4ADF1C581492E33D22F7406E2D49557EAD5247FF438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.902{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2CB9D942EA20D4E97262277F0EBCDD,SHA256=F0DAE9119048A6DEB6FAAF10A27D20C948F6FAF8495720E0565F6A7B5FDE28C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.614{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.612{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.611{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.611{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.611{7B03F3B2-68D7-609D-3453-00000000BA01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.261{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D67DE4B9EB83E8F1F74A12F24B98CC9,SHA256=3E552F71040FAEB0C9667685683F444596CD314A522832C6385DE0C4846869FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.102{7B03F3B2-68D6-609D-3353-00000000BA01}22842308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.994{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.992{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.991{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.991{7B03F3B2-68D8-609D-3653-00000000BA01}7908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.911{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75EA90D5189755AD0CC6FE4370B1EDB,SHA256=8972413F4895C114F91FB097A0E0E317AC484FD19D6392158859BCC97AC181D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:48.854{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DE466224DC4CCB5C1B72D1914D7E8B,SHA256=C07E4D1DE78AD1DA1CE6F8F2C5A8D86A9A7E862EE5DE45A5DAE3F1480A252602,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:46.794{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51577-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:48.182{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108AFF58EDD2DB5AFE441968AF91E744,SHA256=B3A085F60473F1710531F59330B201D206844D0EDA441E48900902A9C2FCA4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:48.182{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=055FD2D435438F21BDAB75CDE6C16029,SHA256=B0C57E816AAB1322D80026920585B11A707013743948446A6360BC78C7EB0281,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:47.468{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65106-false10.0.1.12-8000- 23542300x8000000000000000651838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.624{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28E8B4ED7299BF1224EDAE11ADD20EA4,SHA256=DEEA61A87A23BC19A1EF56194657CD20932113D2B265A83013ED357078AE5885,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.595{7B03F3B2-68D8-609D-3553-00000000BA01}28486408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.449{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:48.446{7B03F3B2-68D8-609D-3553-00000000BA01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:49.924{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8CCECE1D3EEA0C5BFEF5D0B057E9BE,SHA256=8D01E31BBAE10C0094E290EA5C03ECDFB329BD30AF996195DB780B201FF1EF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:49.871{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844CBF1AC15141A5C8AB8625061D329A,SHA256=86CFFCBD5F59BDB5518AD463D2543031E43E0B4BA266D30A3A26FCA8F4DD2BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:49.138{7B03F3B2-68D8-609D-3653-00000000BA01}79087660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000651852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:50.937{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DB33B374427FECB25C600E97A6B39D,SHA256=48DE1847A3FF938FBE44B88E5584E84657D5585BC93E9D86FBECFD13D71DE05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:50.902{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE85A7B7B9E957FEDCAF674737CEAD6,SHA256=6B673530F3F696BFDAF269E15FF337B17A158F4F14FE4EDDB4021B13129A492B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:50.002{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5EFB27284D4AB8357415CD8CF9521B0,SHA256=372EF720F7CF233BC8005EB5C45675ECAEBDA543428C7C612D69B7880CA2E268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:51.981{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB8B59A917F7F99C5393D4B2E932AB6,SHA256=2AACB6F5131566931054756A8F97267792FF8296520A5FB202185D2E28E21895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.960{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.957{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.956{7B03F3B2-68DB-609D-3853-00000000BA01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.954{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC81FA3453290179B93C76F595F305F,SHA256=6EDDB619121C661E470D1E9D699C703445345E2E84AED1E92C43CB8EA5CDBE1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.366{7B03F3B2-68DB-609D-3753-00000000BA01}44687276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.180{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.177{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000651854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.176{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000651853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:51.176{7B03F3B2-68DB-609D-3753-00000000BA01}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:52.979{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028C9CE021980EE41E59A9333C665DAC,SHA256=5CB613D3F8CF6EB0FC7EA3C04DA61DAC62CC891051269DA425A19D37038952FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:52.888{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9E55BB7698FAF7062E06D81B845BBA29,SHA256=03B40ED22D639B19A1F6DAE61B0A0269AE605FF69F32A2E27512DDDB73CA2990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:52.207{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA51BD60D98F8C19311474EFA305DB82,SHA256=4B84C5EE2A9D711A657DBEFE40A6980A6A766BEA31DCE9769D9BD1F9678AE905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:53.982{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23431C14090F59F22D501E2F69ACBFFC,SHA256=B69271B75A3529F1B1E56F7DC059E8036DC5D4E90EE12B7679DB339E859F2200,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:51.826{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51578-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:53.262{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF17147F55693087B311E17D7BB0BF0D,SHA256=1D9C58A196B8B5210A670203160236821B1886A688F203CEECCD69CF724DA691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:53.262{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108AFF58EDD2DB5AFE441968AF91E744,SHA256=B3A085F60473F1710531F59330B201D206844D0EDA441E48900902A9C2FCA4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:53.012{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BA5D1C052503A14DC477137ADB6D17,SHA256=4FDB92D89DB47478073CC5654ADAC8BE98CAE639BF1B59E1C5F404ED715467E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:54.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=719E1175D03C505721DFF0743FF4BE52,SHA256=19C4324E483B088C30769C12CB61FE089749146039A526D610BD4B4B93D363D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:54.012{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A866AD4C6EA63BCAA8DC15EBA7E2C7,SHA256=22CFE69369E0CEAED9F2A0766829DC1A16F22F17A3FB52DB7C0857E5FC0D11DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:55.009{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ED88D742BB874C01398DA6F23DE074,SHA256=98C6709D6800D8BB0BFCBBB2A2AA1A151EAC60685DC01A248B3DD7C6D08327B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:55.041{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8263D89EF59ADA6A07AD7D72BCA962,SHA256=F6E457BE68B1C2D5B19C8A2A0278474A996D6310074858CE630C346A8BACD0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:56.089{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5ABA3DB554CAF76FED2C51A5D21458,SHA256=48564DD8E8A2D0010A4F1C3226582D05DFD4BF2E7F70491467FDB5DC658015C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:53.287{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65107-false10.0.1.12-8000- 23542300x8000000000000000651877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:56.020{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B187A788B76B01ACDF706B65E11B3F8,SHA256=42574AC5250E81AD85A671C3AE648D57723BC868787AC0D94F4BA8061D86B0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:57.120{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E99EB273DBB7963AF27B70F580696B1,SHA256=D93FC01062D22A97621A996A4BB32D303F93E12B6FE8B3556688846F241CFB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:57.040{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E66200A400908412D55C5D09B879A64,SHA256=75AFFFD32DDD4011E934900AAE39036F93C80BA7207814732CA833AB8A3609E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:56.857{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51579-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:58.229{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF17147F55693087B311E17D7BB0BF0D,SHA256=1D9C58A196B8B5210A670203160236821B1886A688F203CEECCD69CF724DA691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:58.198{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED8B7ABE47F604CFCDD9018AD59488C,SHA256=961FAB40403483597AEA7FEB76146B4A15F6F7548E1D26C2E971FCD07E9A3E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.765{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F57BFA4C87AD23BA8D5FFED98ED1E94B,SHA256=A06C0717B690D623DAA0F000934D000B8D20638F0CA5B9A800998B458A092615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000651883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.281{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000651882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.281{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000651881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.280{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa22361a.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.046{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DAD95E1CB7101B5A5AF0BA12D22D08,SHA256=3443BB3B02B51085CB712302F5B120D199B387DC5E0B0FD7426A5DB26768A3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:58:59.198{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24C35230333740A89C48718B4642A1F,SHA256=9ACFDF50E17BC1EB5A14CEE1320C67A5B4CD7118C14AC73B0C395783125994E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:58.301{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65108-false10.0.1.12-8000- 10341000x8000000000000000651888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.272{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.272{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000651886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.272{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000651885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:58:59.058{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9FCF09EEA03BF6A68CB8CC5440E206,SHA256=045127A2A5E1CA603F00AA6E22CB166B448E58C3D511670B8936FB9AD865322C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:00.230{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7267D2E6972F5511C588C756B708EC8,SHA256=6DA3F2CD42A5825D20405D637EC2BB3D23A6293FD463ED41B911DE07810EF47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:00.105{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0719B6D90AC93E726A950D06C5B057F,SHA256=B7DB3DFDAAB671B43ACB27CD37437595A1E2A49911A6CD75E04CA5AE180A099C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:01.245{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E6975AD81300E73711E0208AD8D1D7,SHA256=E8F7389E81E1ECE8FC34261B66100855410608A39292BE22EB83659DB924BF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:01.119{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D8D01E1135886FC24503165EC10BF2,SHA256=4FE0C298D20F9DC0A4271F53A6A57DD8A23602ADC1A65D0A9821BB1FDC6FAACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:02.245{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FFB4D3AA3225C62D71DB23966E3576,SHA256=8D3F54090999A98A8E59947CA1C1EDC6E07B82517ACF87BA343211B6B6F19D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:02.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4AE572F2974579A01E3D8034275586,SHA256=4A4B08C99920EBB2BFDE50D588894F269455F909094746E3A7728C5FFDC2F803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:03.754{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB96745C5D5E19AFB0426515E5908841,SHA256=8FFB5BC9B9438CABCD7F0790CC2D1F35F278A72421E53E80E527E07B15EAB7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:03.155{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D6EAE7632C873FE77BD34481E9F199,SHA256=4DB454D581EE20D80D6250F25317C15EB20731C10DD44E47FF4B25786D1A8CEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:01.888{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51580-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:03.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571288DFD4319D9CE833B25DE3D0D2E8,SHA256=14FC2E7D8480B92B5ACCCA06C09D9877AF0D63867CBA69CC6C20C9F7D40DD41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:03.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E322B6EDA273B6F014253EF12750BE1,SHA256=9FF103D36FB0D9C04DE7DDD9F2AE1B60A72B4D772E1CAA40976DBBE3EA6E6A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:03.259{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5262C695D477C17DA3BE67B39FD354,SHA256=064CCBE6DC702A4A9ADEAFAFB32DBEC2A014B7310072F8C7A8A04A670808BE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:04.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDBA85098A6EBD0FBC9171E3B68AB58,SHA256=4A491BBE5B4AA4E3D78A829A39D508D97E301820DE1A059DC6421B4E8353E0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:04.275{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C666AFD0024ACBFBBA1FB186625F63,SHA256=CD443348C5B71F7FCA4DC1709351806531A530894E119356EC3AE3978EBA199C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:05.322{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44240DC9DECFD208BA00258FD2C987B,SHA256=48F43804B8202A1A52F0A7CF7D283B2F8FFAFEFEE4A2A1AC422F89C7ED2E63B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:05.171{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A646DCA4574DFABAAAB0204070A9EAB,SHA256=FB31DC46BB1942D1FB35CDA39F3AE743300D61BF85EC4920C708026E5CCFF204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:06.337{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B011C0FE55CCCCFB8018C334DEC3B9,SHA256=0C27CDD85A5F022554FD4E60017956AD5247F23E3D5EF3225ADFA90E9B7FA0BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:03.477{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65109-false10.0.1.12-8000- 23542300x8000000000000000651897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:06.180{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9330B6FB31723A63CBCC97974A5876F2,SHA256=969614EBBBAE439877882C3CD08CBE2FDC5779B6E04D2E12317074F84B30C120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:07.353{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F26A94CACE4D5BD7B94E241289F38D,SHA256=5E0F6CBC4544F5C75C32493707C8510047D2129A7D99A631356A0754160B9FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:07.184{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7DE35E9DDC2C5B753D2E1659FCD25E,SHA256=832A22379B25F3923832A682023463B7DAE28ED468090E089184757501C0AC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:08.712{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0926F5FFE42F41B31AE5A4EC1347E47A,SHA256=36E2A5C71D37C96AC4E83FFC04B88598F681860069EA7B14834AE9CBA691623C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:08.369{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89559141E48D832946DDE6C4A37948D8,SHA256=43FD8BCE1578A3A8B640CD6D405AA3F5FC5A32D3F039B17C0F682DEA7B0DD588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:08.193{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7788937D34ADD7683A8B66431033E165,SHA256=8D79541F49E0E045624099148FE2A854EC2EECD31987D310FF0DBF742599E897,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:07.699{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51581-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:09.447{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCF4768131D3E9B40E667276521F90C,SHA256=C53A326D587B01220B52F1ABA1D3C9FF94BAFBABA6022C2AF60B4A407AD9715E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.273{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2380DCA08530047E9AF397B98AE70B69,SHA256=F15B597AADFED4CFD8A60C66F334FE1F29915CD1767A8AE5494A0583ECBCD740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D720EB0F2E54B0A579F03BAE92790B,SHA256=5AEA4D0C219268A49D7C078C505DDB76FB7CA9A8A11D30140E4AE836051B473C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=004F7B7A0DE0587EECF89284495861D4,SHA256=483767CD4CFAD7653C4A013809F56E971BB0175FF9CDA79D7990765DCA0634DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4432EB1EB14FD492E3AA6927EAB3864,SHA256=F82D724EC69EC44101BD61B5FF45392F342E476EBA98680CFAA3E0A805ED14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571288DFD4319D9CE833B25DE3D0D2E8,SHA256=14FC2E7D8480B92B5ACCCA06C09D9877AF0D63867CBA69CC6C20C9F7D40DD41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:10.462{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CC07989BA58B8A3A5A287EBEF54ED2,SHA256=DEFAC2C49364F0EDA91C51CA943987608CFD192869932E1FDAD5B20A29465A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:10.396{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D720EB0F2E54B0A579F03BAE92790B,SHA256=5AEA4D0C219268A49D7C078C505DDB76FB7CA9A8A11D30140E4AE836051B473C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:08.479{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65110-false10.0.1.12-8000- 23542300x8000000000000000651904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:10.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EC7C1B3CD00E51DB63776AE4B0B057,SHA256=5F5C702F54BCE3DA7DA421C6AAD58793700E8A7B5488764088814BAC636BB969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:11.478{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD874D228C6D6D1978A25DA40BD8641,SHA256=CF9AB43A1733072E8FE2DF8C08B58CF2F17F2899511CD324749AC5872B7D7647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:11.297{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B12E6C9A320FFE6478DED2603904B14,SHA256=EFC688B4758E2A4100CD2E64F58A1651DB049DE71DC2F78024A4A988618841E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:09.625{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local64203- 23542300x8000000000000000651908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:12.306{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4747FCD8878CAA066CB515E7E77640B9,SHA256=F49A9A2CF72CB199D69E576F07D6FC26BA821424743C6C099036B53E4CA8AFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:12.541{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E67B654C3814027C0A74DCC24AC12FD,SHA256=C834888D35AADAA5221A5FBAD69EB74DE266B2690912C5FCA085A732C5A93DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:13.336{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93157BD5BC752FA81C11974EF3BBA75,SHA256=98FACEF8E8E46938E4B1A58BF6D32FDD8A4CDA1C49348949C5CA1382353E8092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:13.572{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21C9DA7A884FBAF575A16D079D20EF1,SHA256=D6ED95EC8401164B626DBC0EE2C891CA513F9346E5D420AD1F8E37B1B8FEC5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:14.603{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DC448FD72F3D4D6183A87CF88A135D,SHA256=587B45A813E6D94B40A39CF0264532933C7BA1FA3A1EBFBA3C2F9D99694D73C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.375{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19CF4B84D901D38CC14227818B93A22,SHA256=FEE1AB4308380C4C618311CAE3238EDB46214D0E4E558BF1AACA7A61E09D59BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000651912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.142{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000651911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=C41F79B02AF5775DDA57E176850F46B2,SHA256=51565572AFC9A4A6614168CC33EFB3368236A740DD3ADA9C76072DDD5D1BDE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:14.400{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F733171D39FF96E116996D63E5F2EF8,SHA256=D76194A8FFF4B02BA9364CE679DFCBDB38DE42242DCDACE2DF48D776ACB4F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:14.400{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4432EB1EB14FD492E3AA6927EAB3864,SHA256=F82D724EC69EC44101BD61B5FF45392F342E476EBA98680CFAA3E0A805ED14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:15.603{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD25DE3B14A9D778D06BC75802D6716,SHA256=DBE05D224E45BCE65C001BB0AF0CF77ED851222A4D5CB3F529A38615195B355E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:15.379{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBEC69F69EABD8E45251805923E9959,SHA256=6A28C6F6028C10A3CF23E67DBAF6A0156CEC3936AF6DC2D57D536CF515583AF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:12.824{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51582-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:15.057{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3119FE6223B8E389CC7F2F4CCC52FCC,SHA256=BCC4A72BBB378C03CA8B9A68FF57470761EC4DF8E531BA02F268D07E0FC89F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:16.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5302E14D98A17E5AE06D46262FB8B814,SHA256=5F2588E578588FFE2540FC9FCBFEB31199574AEDA9041F3F3E8C3FD8A927FD3E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000651920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 17:59:16.930{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000651919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 17:59:16.925{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000651918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 17:59:16.925{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000651917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:16.385{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1D90CE868E65691C90E7DE2CFAC4C4,SHA256=F6FD1F5E8CF6A4FA9E072B4024EEE481540988C989275EEB861205B1C6444981,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:14.295{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65111-false10.0.1.12-8000- 23542300x8000000000000000553549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:17.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75ACB1DFBE8CDA2F667325E506EA6F08,SHA256=0AE2CD1C5AC5FEDBA0C268943EC665734E2D5DB371AF0DC20A5D73FF52F64FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.394{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A677558C7DC9E8CDEEC668D361D927,SHA256=937CD6BFA60E6E27076FC30E65C2E0BF0389BEE3FF54B087D0FC5988ED1CF7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:18.712{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4032BAFF387EF29B756AE242E2D6BF0C,SHA256=A20EA9C6EEAAF6E8917DC9C03946044C1D3AADF599985607155F3ADA3AB3E795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:18.969{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B7B13ED99C2B05EBE156AF4C2E08ED,SHA256=C82F5D24C81F2B92157E425562708518B0F2847CBE87619917400AD2FA5C0274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:18.410{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377DBCD5D43C34E8DC1EEA710EC1BD21,SHA256=8BCCEF6A2303F81E6727789B84A0866DD05A5DE01A51B3AD5EB07117F16054A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.181{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65114-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.181{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65114-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.173{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65113-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.173{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65113-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000651924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.153{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65112-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000651923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:17.153{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65112-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000651922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:18.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97329BAFBDDE1A8611539FF9C92B1747,SHA256=976D918927EA59E3E0D5698634DF9A2D51FE85C6BD23E7D93CA92728286D6774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:19.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D321A3AC987024755B7675312E0ED1,SHA256=2F1968942976553CB2FF36EBE0F352879CF8B2EE2C9CC9DCE7E7DAD8C97D2F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:19.420{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0891214C826E75E21B17B52BD2C10AD8,SHA256=9A1B824D826E01F14D94ECE9B19A8E994E48F62846A5C29B6BC590030C4F9A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:20.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A95F383E57AEF7ECE441354B1B18C4,SHA256=98F36F20FFCAFB6F66A3FA2B750F6C6F51E8623FC40F8736434E490217587259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:20.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A529E72B1D5BB4904DBAE286804D98,SHA256=D3B7F3449004E18E9BCBFCE4494BAAD05E2F782809002D9272AFBA1E567ACE59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:18.652{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51583-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:20.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779F68E29CBD3370429D997BFDA4C4F7,SHA256=5AF8022E2A5972F6F8455CD00EE45B3AD29EDC8362FAFD70C32333EE7C508220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:20.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F733171D39FF96E116996D63E5F2EF8,SHA256=D76194A8FFF4B02BA9364CE679DFCBDB38DE42242DCDACE2DF48D776ACB4F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:20.130{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24410AB9D13D99114D0960582A5980DD,SHA256=BA291171A80B8F9606273B75B1F291DF11C294C3C11279F9DD7FD460EBAD3F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:21.759{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95048DB90C6D298818F74F2536D3069,SHA256=A2568D658AE77ACED28ADDA52C8EDC6F857E379793BFF3377F4E17CFAC51E29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:21.456{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926D35A18AE6BA730635321C3810E166,SHA256=BB72CAB66B6E5B5E114C5C7B628BFB9BFB433F97824F7335A3718E17ADA1C775,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:19.362{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65115-false10.0.1.12-8000- 23542300x8000000000000000553557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:22.782{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68ACC0D56E6B25C2EE7F42E6E453A5E,SHA256=81189CC8CFCC75180AEB734CCA27F95E0F19F4D34AB28333E0D4A20626BA580C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:22.899{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:22.505{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F6641EEAC3B3892C28E0F151494FFA,SHA256=EFAC3E13D0AAB6F63FF16B194EF042A757B66205F1FD0D79362D03A0E9543ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:23.798{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6438BED8EEA6EB6D8CC54EC211004A2F,SHA256=9DEC76908FC875EDD3079ED6461F042441986412C9584F3D80A8A231331965DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.779{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3A9ACFFE0D7FFA8F562FD1F17C715DA,SHA256=1B95FED6B806FE0E9D69B5A8CDDF5DE40409D4824A04C754F3DD5935C37694B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.520{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD7D423CBB11DAABD3F5C771763539B,SHA256=2122D5F3D5BD347846A59C5C8F49542418FBE6E7294EE6808915503777D867CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:24.813{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864BA440B34AB59503E7A35A472A8F9D,SHA256=7EFD097414844AB6512F26768D3ACBB5D404D1727C16A34C3B792B68378A5D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:24.530{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C64A209F7EC52172ABD966EB5CA872,SHA256=360D6440D3CBD3D0EEB384723AA77512378E1ADB4B8D917A9BF0826E8DC0DE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:25.829{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB1C134B7660EB2FF8F937665A4AFBC,SHA256=C2BE76CF79DF75EE1496DB198EB75B541FE9514B497BA45609D15EEC26B3FDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:25.541{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18203034A2B9DBD70A36E6AB8C263E5C,SHA256=417D94D1E6BF0718AC9F90686AAD24E97B9EF621A29F6C847878FD206A9DE898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:25.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC922227C7F53153EE292AE6269850C,SHA256=E51751420B1A2DB4097493729CB64FD4B97D94D9465120EAAE65C080053ACE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:25.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779F68E29CBD3370429D997BFDA4C4F7,SHA256=5AF8022E2A5972F6F8455CD00EE45B3AD29EDC8362FAFD70C32333EE7C508220,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.543{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65117-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.543{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65117-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000651942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:23.116{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65116-false10.0.1.12-8089- 23542300x8000000000000000651941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:25.215{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE72D3481200EEEA5ABBF56A54F7208,SHA256=E76FE079FB35FB83B02ECD7D92F455DCBA37CACA76CAFFFF9D140B6397DAF3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.860{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA62C233A0A2E09E718F50A2433FA9D,SHA256=D8AE6E118E96B4398EA8823BE9B07BC938EEF76F67410E6621C80AA38B3EB1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:26.679{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:26.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=39AF4A3BC8B87E70AAFFE35F64C542D4,SHA256=DA12C507A408411A23BE45BE2F4A2B7D2953D4D3316E4D53841CF845DF30A096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:26.555{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B660861D8E4DF3EEEEC7B47DA71C3EF2,SHA256=8151DFAB808A193554D855CFEB3B467FC15605673A599E7A71A54A9EF01229FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:26.767{E1BD9FC2-68FE-609D-494E-00000000BB01}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000651946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:24.443{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65118-false10.0.1.12-8000- 23542300x8000000000000000553594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.860{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589F750E34EA5567470B9B1A06159755,SHA256=7E5179DA7633FD61F069483422FED715E54AF48CEC6CE00802C9E684608966AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:27.583{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3595643294BA6BB4078D1393D2E707C4,SHA256=62C16A25D8EEF56532E7BFB4F3D88CFA038926ED4E8812D45225912A946C4BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.782{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC922227C7F53153EE292AE6269850C,SHA256=E51751420B1A2DB4097493729CB64FD4B97D94D9465120EAAE65C080053ACE0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.548{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.532{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.438{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.439{E1BD9FC2-68FF-609D-4A4E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:23.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51584-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.876{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04573A10832290F11C4C48DFB48F56E4,SHA256=061053A48E2C92E5897C44CAD7F546D0E065229F15D5ACE4F7423595CE704B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:28.585{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559217D9687062BFD65D2C66EAAFE36F,SHA256=CFF824AFF37B6A0779E07D38F394B10C2C82D7B1EAD725B2FD677E8ACD3BC65A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.110{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:28.111{E1BD9FC2-6900-609D-4B4E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:29.892{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9429308A46E3E60B8220036126FDB9E7,SHA256=B2A24E0F5DC315A218389246BBF845A64F930C064674F7A3474003C48D31AB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:29.600{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBDCB93AD18C70CF8BA47AE01E135D9,SHA256=C96AF7E0897E2ABC28235116F3B4DDA47C7A01C4B1137D382789864852837736,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:27.159{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:29.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351952D192A5FA7F3717F34EA5DB853D,SHA256=28096536DE4032A7A1B27C7FE144B1AA1DB1B32B5D0A734F04C9D1D35E36BC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:30.923{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF24B462A61A65477B30F61D3FDF3EFE,SHA256=9717606CFF059299EFC505E888452DB696C7C2BCA9008C4BD827D804590D0B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:30.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C792BF97906D7AB4F676D70CC53584,SHA256=0481DB18AE08DF04CCCE72EC8BA9F8D288C231AADF60C4C5CF2FBC6634AB0013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:30.252{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACB2C47CB9733D2AAC190A95D95C37BA,SHA256=3BDD8663D50D0D365FA3A39CCC3A67BBB7096DBCB999F6C9C2162884CEBCDF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:30.251{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8D3F9398665DC6BF7E24C95B2D27AC3,SHA256=404BC84BD7729B82E3CC8108D1A2E57318F9286A021FCF46285C9368F337FAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:31.954{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A0E7AC982B77411A65ADE564C4602B,SHA256=79CAEEE8C3C42A7ECB8CA02A1AABB26714F4F9AA7BF36FCC15D0F670B872B73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:31.624{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DB2CB7EB59934A53EA4280CE763B35,SHA256=D8D38ACAC5ED4381FF886BA8FAAE6C25775FC28BC5FECCA3DAB4D0F0670F8DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:31.329{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BD7937B3F7F43C5CC9AAD668EB68622,SHA256=A97AD87ED6D855A03F74EC0941CF6BAF5B703B2501F91B3E2DFA135B42CD1E9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:29.483{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65119-false10.0.1.12-8000- 23542300x8000000000000000553616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:32.985{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B4CADB90A26DC51265DA58D1BBD7CE,SHA256=629509FB1A6F4B971C1999C21E25108C54E71A805ED91B9A24D5FC52008B8590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:32.632{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA1C4FD601F75D8D28754C01AAF8B5A,SHA256=56B04B0F45BEF3F3B9F68D0A3549B377B856ABCD74F6D8B2646177004DE5EC08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:29.815{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51586-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000651959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:33.641{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8BF25C976959AAAA3E95A408D941F0,SHA256=466D05769FD4DF34D515A7AB6361C53D586D816105D053787E487ED1940AA4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:34.649{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6BB87EC00E358E6B71D3EDFD9F4F88,SHA256=EC68859B5B3AC43EC86250F6EB019E19749FB8BC5262C7154A4723EB82BB1F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:34.001{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD96F763E0274ECC9EACC953A99B0935,SHA256=7EBE4195128AEB696B69229DFCCD43AE54F0882086AD619446156543AD2E4E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:35.656{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BA10E160ED72BED206A1618A432B1F,SHA256=FD4A8B83D3CC7A1D268A513197C903B1E90FCB0BFCFF17163D823EF202A1DA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:35.032{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99C8D2F4F7F991C478D1999343CC2AE,SHA256=96941822C441B84C4680FA838AB0CDB78B8BEAC05E72B5B9CB753A4F5F9ED272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:36.675{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97697DCAD7D433D8D0001ABC8A536327,SHA256=78AC5716C425E77C03743A9A41B612186206AEC4F962E413F32E957F36AC08D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.798{E1BD9FC2-6908-609D-4D4E-00000000BB01}23441012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.673{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.674{E1BD9FC2-6908-609D-4D4E-00000000BB01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5198B917C35192A7DE1C31AA9E234CBF,SHA256=143667946C85713188C5B8B679BA6A48E682011DFA3B94B5C23B8196475907AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F90010E2306614F834B53AE778AAA6,SHA256=880174BAC8D841B83D738C9F5252AB509F025DF34B4588D740E983400A75559D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.126{E1BD9FC2-6908-609D-4C4E-00000000BB01}33442328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.048{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23523ABFBD88BEBACDB6C3982441C9,SHA256=639AA48E0B100215FB7237413629D9CBA6B35169519ADD877633168F636A9EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:36.184{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6083273DD3ECC7281F780240CF524B,SHA256=48C5B4D16CB6096AD3D18B96F1117CD71D09618D46229AB7DFF1DD857AD95714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:36.183{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACB2C47CB9733D2AAC190A95D95C37BA,SHA256=3BDD8663D50D0D365FA3A39CCC3A67BBB7096DBCB999F6C9C2162884CEBCDF21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.001{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:36.002{E1BD9FC2-6908-609D-4C4E-00000000BB01}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000651966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:37.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB3B4D55452698E1D5CA72BEDCDD88F,SHA256=772889EA4AA989C5AFD786FE96680EEBB54D75C5D82B5EE43A897ECBC5B00934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.907{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5198B917C35192A7DE1C31AA9E234CBF,SHA256=143667946C85713188C5B8B679BA6A48E682011DFA3B94B5C23B8196475907AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:34.862{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51587-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000553663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.345{E1BD9FC2-6909-609D-4E4E-00000000BB01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:37.048{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E68295E8F0D0A69E34A165BD40F9A01,SHA256=16AC7BED65929E7302422389567C02E7C65C0A7393CDBC9BE14E7B5955F1E954,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:35.369{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65120-false10.0.1.12-8000- 23542300x8000000000000000553680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF468EC8211312517EB731A7BE7D761,SHA256=0EAE28AFDDDF8ACB65A2325B685FA0D91C2647E6FAB61CC243F84461596F96BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.142{E1BD9FC2-690A-609D-4F4E-00000000BB01}33241984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.653{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=DAE6187CCAFE3B97421BD18151EF09D8,SHA256=481BFB80D5E975B563C1259EEC036F7EC8A1ED6A4FBDBD2C9D8D6527A6E60EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.648{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.647{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=A934D3E2CFDB836D2B0E13DA7905F85D,SHA256=4ED20A2094A10C69A2B03AA62FA3CBACD0CCC958127C418B502B8C417F34E399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.647{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.646{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=61B202679AB4A90DF598E65551E44B60,SHA256=E12DE94CAE41F44DAA1ECA9CAC21BDBC8A1AEB4797CE358DC1698A4CCE147A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.644{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.644{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=0564710CA4D6578FF3276BA90AC1FFC8,SHA256=B21CCCA4FEDC84EF81801777061708CC485E50F519BA103583B2E00B9B745100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.643{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.642{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=3EC11392D120EFF88EA429D945305A23,SHA256=00A881F20202579C53597EF52C315AEF2A75B23DEAD91B21FAD0F2292CEA969A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.639{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=BFF7DF7E350A49234104FC5231FDB381,SHA256=71EC5B3701739EE7B118F82E5777807D98A1EBADD653F7C8F8E04426A5938D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.638{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.637{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.636{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=78AEEC294DABA7ECC81708E60A1662D8,SHA256=4642CD76BAC7AEF8F6BDDCA8ADF6605D8699D531E1B7D0E277A477B590726CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.635{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=CA1003AA6CC48489F362350080D68948,SHA256=7549F93D6AA5C5D8DFBD7CCCA276771236FF0045DA0E84BB6C09AE451D90BD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.634{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=AF5DD014FFE62B74AA9E4CE2732B8712,SHA256=5EB6AFDC8527DC95705FF4359B1809651ABB942C377AA2900B0EF838AA2EACF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.543{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=AD15D5D9484201E4F05E8A1F1CA457F3,SHA256=2CCC41F29A2CCB30E51C301A5C11542E1253CC69A18FED7E0178F94C4072FD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.542{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=5AB9503B46999A9800F797EC4AB0DF4B,SHA256=B972A51EAA4DB2119382F42211675BA6EB906F9D411DCF27A1F951E13FC2BAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.540{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=127FA57B63F90D6C2F0CCAA86A46F7D1,SHA256=6B10EDDF78FCEA584E0CABBBBD32887A8C989A926034E677007176968849CE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.540{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.539{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=41C9CA556B7DCF1129513126A1EDF26F,SHA256=5B06F2BDF9D864D790677DB8C3AF9A5F3B2AC7E48824026A7F794E6DBE5B4DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.538{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=54F4644CA8741D633082C577866187C6,SHA256=363791F90AD17E21CA91D6494920F008191797135756EAC79F7C4ACD94B547A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.533{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=554754424E0ABF50D2D2DD5086FB97DB,SHA256=D9777DC9A5E7969BDC5F3B73588FE08A994784E20619FE15FC212BA83C67D9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.532{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.517{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.516{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.516{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.515{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.514{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.513{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.513{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.512{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=5EB942447159BDD7EEF028E27D1B67ED,SHA256=4C7B7ADDF3C8C67C97BAFBA64E747E49EBAEC833A43FBB5112AFD08996A9685C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.511{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.510{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.509{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.508{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.507{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.506{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=E2856310152F38E03E91A22D9CB19291,SHA256=915F6E55ADBB3C5AB5747A0D2CF9E948ED62B63E79D12BDBB091F0486CD03AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.505{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=73DC8D3F53B50FB0F1F8632C9530FD92,SHA256=833AC94BC689B785FB52EC5D18E139325EFDFF464D005116AF932573580FB379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.504{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=9BC238A800DDAC970E529F57CFD2A0FA,SHA256=66692DC05E8FC8D067983F947D990FD70C59BD62D0368686252B6B2036761E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.503{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.502{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=C3CA39A668EC3B1A24B07B68FBDE811A,SHA256=090654DB89310693F427B861104C6FA2A556722DE5D88BF27D216FAE1459A7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.502{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.501{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.500{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.499{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=5969DD82BB12F93A8166E58695FA5D79,SHA256=488E9B04C2C57E2DD20C2B4CD727B182E7A60C13693299E57FD274148E7B897E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.498{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000651974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:37.457{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65121-false142.251.33.74sea09s28-in-f10.1e100.net443https 23542300x8000000000000000651973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.482{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=554754424E0ABF50D2D2DD5086FB97DB,SHA256=D9777DC9A5E7969BDC5F3B73588FE08A994784E20619FE15FC212BA83C67D9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.471{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.395{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=127FA57B63F90D6C2F0CCAA86A46F7D1,SHA256=6B10EDDF78FCEA584E0CABBBBD32887A8C989A926034E677007176968849CE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.389{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.378{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=AD15D5D9484201E4F05E8A1F1CA457F3,SHA256=2CCC41F29A2CCB30E51C301A5C11542E1253CC69A18FED7E0178F94C4072FD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.332{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000651967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:38.293{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC6083273DD3ECC7281F780240CF524B,SHA256=48C5B4D16CB6096AD3D18B96F1117CD71D09618D46229AB7DFF1DD857AD95714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:38.017{E1BD9FC2-690A-609D-4F4E-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:39.220{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C531D43D20482412A2839CEE273B763A,SHA256=0655A5DF5695403512BF6E78490637D62D08F648FBA53E000D4B8D43E6FE1972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:39.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41A71775174C04BB9DD5249E9DEDC36,SHA256=064B1AFEE07ABF8CAAC7876744F53968758DFDA2B22EE720395789161F7DBC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:39.164{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:39.087{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F679363819A47C9CA5B73F4984853423,SHA256=F9053AABF6984A53B0CCCB72A919FE0930A74AA6602578A5C66C7DBB4C7A44B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:40.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538168A73D62AE100B9B4E0813CDC04A,SHA256=790D395AD4CC7DBF91148E52933B414942703CED270190D47A465534A8D8E34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:40.090{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E892D5A4B7D89C96DAE5B133EC315A,SHA256=8A7E7A5EDBA0B4DB404DD35EBD0E4A6DDFADF0DDCED70ADAE240EADD212AEF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:41.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758AB1856B44B2E767C3D375107C5213,SHA256=A2533A543E6527A5F4C84DFF14AAA9E6CE9984BC12F6E2043C0B212191253586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:41.103{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2A87628DCD1138BE28B7D37D6C4470,SHA256=384BB307D6EE88281AB566E1AD35043FBEE6573ACC44E0C87A94E4FCF1C29134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:41.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA915FF69673516077BE951C365FCBC,SHA256=981ABC750F9A53250E784B2A406F2A1BA42A1EE403A6035D0B9AD15B2840BD36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:40.737{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51588-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:42.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED2FB9C6416510EFD52EA9DF83591E7,SHA256=FD65E0D2B20C6BBA16895EB8530C6E7AA77B735E1B6169870EB1B13B17C9360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:42.204{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9D7B0401D2C1BF33D2F7B61F224740,SHA256=05B5B6FD5D80A6CE724433E05347435A2AA889BF3BF18A4679CFC451F0FBB96C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:40.459{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65122-false10.0.1.12-8000- 23542300x8000000000000000652026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:42.106{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4672DCE083A9826772160EAF972E5F9D,SHA256=8A37D2C090625299DEDB58CFC3DCB2286EE5C5D02FCD3A255386A711A6925D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:43.240{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7524B5172D7CEB7EC2783BBF2BC1F6,SHA256=E6C32AE5265ED669F3D334C526D3856272C25CBC51812576E5C3B2305D157C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:43.776{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77F5BC4B0E568347BB83C1FDCC6D02CD,SHA256=AD7A6DA81D7104C66F0D5ECE59E7119F0A502D9D3C16747C8C232418D7FC6C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:43.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BF05E813E8737D6BEC90A1DBF02183,SHA256=C0093487862D159B345D1BC2667667F184ECBF23366183848C970A7186039553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:44.255{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFB61F767E0E0ECF8A9FB8F44E38531,SHA256=358BFD9F93CC4B9411B6F154C196F24F542DF728639F80C398EBC08A44267B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:44.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEC8F8ED58B574996E42164F8C1F1FD,SHA256=F921A209262ECF38FA3457BE5BBEC74858D93D6379FE407AF68E486F0C2DDA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:45.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9FCB332AE0077F806BAC44250B0B61,SHA256=5A21CF37D93C47FB5C728F33E31A4468218751FDE920E9EBEF5BBB42E30A6119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:45.129{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962CF39DCEC4BBDDD105086C1A77978C,SHA256=E294A37D90938B62A63CBCF131F86211428CE962B7DDBE7508F66FB7604FDC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:46.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCC5FECDF4F29D741F652D5083176BC,SHA256=D4742E9F57009870102AB0777AED102DB41EA292AFE5F22F04D6E333C6832947,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.902{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.900{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.900{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.899{7B03F3B2-6912-609D-3A53-00000000BA01}7628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.259{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.257{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.257{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.256{7B03F3B2-6912-609D-3953-00000000BA01}7280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.230{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FA8CAA39A44A8C84B46A9CD062565D9,SHA256=860BD54E615FA76C4B5A53321E6370633C0B37775F40E617BBFF3CBE0A0706EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:46.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24140D55CBDBC142475D536339747672,SHA256=987BCFE6FF34B63E35A1BBD553DA1BA0B0C41ECB4498B69495834DFFA6F860D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:45.773{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1FE158F021A7B7C2CD5291B2C7BF5A,SHA256=9D014995626A2244F16D2D80B421CCEBD387E8B889C045CB79AAB26ACF3486FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8AB1D520BF65480D02DF95F35104601,SHA256=2BE326442D958F282B8E9B5C4E13669530CAE50A593EC535BD8C0D9788C16F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E45CAF4057C4CA600D61D1FB26E263,SHA256=95021917EB4F17CA1409E5B0663FE01E4B50109CD0B017DB0DE4712C38729C2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:45.466{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65123-false10.0.1.12-8000- 10341000x8000000000000000652060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.457{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.455{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.455{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.454{7B03F3B2-6913-609D-3B53-00000000BA01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.426{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E43D734F62EBA0C6BD77EE53FD27D1A0,SHA256=F9A034A1B106510B1DC1D50A00A046A857D6AEC996058F986E874F93D9B8E418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.189{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93A3A6E5D2641DFAD2F1C011E13700D,SHA256=BD58B2EC6609744F14002EC7BD4102D8F3C3EACDC4657303986F9AD4FCF61459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:47.076{7B03F3B2-6912-609D-3A53-00000000BA01}76287720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.594{7B03F3B2-6914-609D-3C53-00000000BA01}3844164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82537A4A520055A7E3DA3193B1167DAB,SHA256=31C4CA5563E94089B3C66CCE43DCFEEA9B7D8EBC5050E2FF9C5FF5CA7DC83086,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.447{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.445{7B03F3B2-6914-609D-3C53-00000000BA01}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:48.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783E9E35E0A25F4A6AADBA27524B966B,SHA256=79D9DAA3EB5BC493235126CAD7394EE26B4ED0DCF2979780BFF132401A43D0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:48.302{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E161D81A02573405EB141A165E49A891,SHA256=B1EB3239C21811F0F1E825BF49A1EC92EB7C1B77DEA8C3A5E51040891F9C222F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.609{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92643F900285117449ED34723B08DB3D,SHA256=4D411A2E6BDEDED065D7B42816FE3D9705920FBF858AC31910495C728D774996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.293{7B03F3B2-6915-609D-3D53-00000000BA01}56087320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.245{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0B20EEC354660A8E087A888857233C,SHA256=35F45A4A249AEF1D9472988609403A39F2578CF0E53B399E44590E8816397A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:49.318{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15751CE214CECB41F5D15AC54C7CAD0A,SHA256=EE075515A828005EDCBBE336AC828298CBC5889CC0598EFE64CD054BA62B444D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.114{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.112{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.111{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:49.111{7B03F3B2-6915-609D-3D53-00000000BA01}5608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:49.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A1FE158F021A7B7C2CD5291B2C7BF5A,SHA256=9D014995626A2244F16D2D80B421CCEBD387E8B889C045CB79AAB26ACF3486FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:50.318{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54310322FD1872715A562E5406AA872A,SHA256=5BBED3E21B7FC1DAC7C89F2DDFA9C24959D17F69596E1B77590FB075320F4E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:50.258{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E9D3A999299008A9908D6E9B024333,SHA256=ACB4A87A9BA5F2E8DB19A7ED282FC135FFE80C38223CC735B965FFD11EB8C7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.698{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-681.attackrange.local138netbios-dgm 354300x8000000000000000553699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:47.698{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-681.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 23542300x8000000000000000553702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:51.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B22F8F9021514CCA62118B53C6F7D1,SHA256=68C9A9C740AC6941D440475AFEE4BCBE07DE454B8BA3CCD94DC3D0B0CCE25280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.970{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.968{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.968{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.968{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.967{7B03F3B2-6917-609D-3F53-00000000BA01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:50.487{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65124-false10.0.1.12-8000- 10341000x8000000000000000652095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.352{7B03F3B2-6917-609D-3E53-00000000BA01}36327380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.292{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E44137030BD519FF0A311BF6065DD82,SHA256=4A9A5BDEC76CD9486DA367EDDC38B018CE3AC2DDAFF83CA9F92F185A025E87F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C0365CF04F3C5AEF6E6465A4109B58C,SHA256=AFFA88F58758D2AE7E6A1694B7CF560C09DBF14B10A0009B5C47530EA1B9AEC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.195{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.193{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.192{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:51.192{7B03F3B2-6917-609D-3E53-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:52.897{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0F67C8AA37B82D24D6AE555489DE64C5,SHA256=8A49931C5EF8B072DE65C94F0EE0A668E04D02B63DA13E5DD397FEE553B474DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:52.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF2E1BDB267147657EAAB4472C9394FB,SHA256=D06924BFCA983DED8E0D7BD0BAFE2667306E5AB7E2C5B848C960ECEF66C46309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:52.299{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703844016C13DDE9F6EABD533D8D73E3,SHA256=5D59B937B4116C5CE2941DBF4660A7993442DA1DC46DA719F26C8CFC629B0F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:52.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300D84224D4454BB796A6E5884310BB8,SHA256=3236CC99E432BC01B6938B6E431265118EB040714A5F0DD57C509B68A30A4C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:51.695{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:53.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7FBF48732E70915F878AB92E28BF8E,SHA256=D3F27E6E68C069BBA3CD025D4E22F7366EE75ED210C688CD7B116A3DF3444554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:53.318{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E787A587C52AE06D4240D941FAB6CF52,SHA256=37361031742831FE20F950C16BA30F5AAFA691E9AE83AD65B3CA2709D2AC36FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:53.052{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3D420B2246A5ABA3F341534B6929962,SHA256=0ECAAC89BE40A3BD5D98C91B83DEFA364B36376526FFC575AE18BACA35380D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:54.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4DCB0C4A3C7AFD0F3C882D939BE3A0,SHA256=AF8A51FF9E199F6A36AACEC1DCFFE87BE8A8F06F32F4F38EC5FC031A1FF8E00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:54.324{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6BCAFD698D7259CA42755AF3D953BA,SHA256=D0BCB410D91607F0FB4BBA0D7CBCC08D3D762044C13C74663327AB749A423130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:55.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE4C7CB0536AA053D73FF81E928F1AC,SHA256=5E9CACF2A02129579D4365D9CB6544E5FF27FC6AC33B9C607DF3C4D95B169F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:55.331{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD076558FE957E259EB98CF81EA95F0D,SHA256=DAC25274FAE00F81173C12839F0A1BD1792DDD3E9A14CC1C6351B3D97F04B7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:56.410{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26DC3F21CEAC519A6BB90AF65D561AE,SHA256=651F43F6BE7E81DAAF102583CAAAB56CC1FE0B2CA987A68F0213AFE71C1C2566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:56.350{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EC3D4B5E39D7EB13AFFD4B0A806C40,SHA256=F1225BA9E4D7E6F92DD2619DC6F0793EE3FCDBD4F701B8E32FE8F1EB6051980C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:57.426{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10200A8F36A0C4E516DECE8C8EF54EA5,SHA256=20039AFD63D74384AFED1D511B6349C3D9D4512EC8719C7B7CE6E894729C6E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:57.367{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9015DD522807CE84593145EB06B1C857,SHA256=7CEB2385EFFF721F3E034418EC9F6365B8F655337864EB40725827196F90FABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:57.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA23293C975D1E9C49FC184FA6B3FB8A,SHA256=1928E0216551E39AF7E2354AB8072C8D1601F5F019A3407C723E7F0DCF45BE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:58.489{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3D07A6CE8D7E7D32B00E1AF9DA7773,SHA256=B731EFC310B234C9BA8C1287B9A03787125478E62C91C288EEFE3F944EF6D769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:58.834{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=056DC2CE7880981CC81C0AC6666F36FE,SHA256=7B6EC84B5BC06D65F504F769FE5A0BF3F0ABDB021CE9813FB329CED8CDF6DE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:58.466{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC7883A4C7B7C02251327C823A188F2,SHA256=D1F38D6FC85C2801DE15980D7312E79611A91A6FEDE4EA811B6EEFB6BEC3D655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:58.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5C2D3CE05F4906C7CEDD1FAD9854C58,SHA256=4552213B4D3FB3BD1DA5B8BA725358DFB529AE5CB5BC97050BEF158EB3E50C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:58.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E820E9645B075EDE09B2A90335B148C,SHA256=C47BBBC6EB4F71B0D90C1DC3B4DD04F4612D2D9792A27538EE3193A2CF99DC69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:56.410{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65125-false10.0.1.12-8000- 23542300x8000000000000000553715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:59.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39377479310C13F1B7D1BCAEC3BB518A,SHA256=49BBDBE8F492622AF8113E099E2D0022F2872594399825A9D9CC28937FCF0FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 17:59:59.517{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF0714A1FA5F9A5AF95569CE707B74D,SHA256=B82AE35B077C7EF66C20539F67E76EEB6C5F2DA6C4FE0882BDA03876BB49F31A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 17:59:56.804{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51591-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000652126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6920-609D-4053-00000000BA01}3408C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.619{7B03F3B2-D0CA-609A-1600-00000000BA01}13046208C:\Windows\system32\svchost.exe{7B03F3B2-6920-609D-4053-00000000BA01}3408C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.595{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.595{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:00.573{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD681FC9C865EBEEE8393685762AF79E,SHA256=6AD19BDFD77FE02BE2C80B292A4BB71F9203A1CEF3147E2AD4479492663A7BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.536{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E28B64163AB0080B0E8D56E63F420EF,SHA256=C2563D454AAC9D515FC195281CBF61948EB52A7A93D1B8F0EC4F42DE1C34DFF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6920-609D-504E-00000000BB01}2884C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121324C:\Windows\system32\svchost.exe{E1BD9FC2-6920-609D-504E-00000000BB01}2884C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:00.520{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:01.614{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F363D4C8232CF13BD93DEF5DDAD3C394,SHA256=EB4FCAAA7797C1286DC2C379A7B6D153505A8B3D44D22552DF98C80D252FF740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:01.614{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEFBFA1FB56E09E994AC18B1174FA0CD,SHA256=6BF44EC72B0CA0B26F742CA22F30C8565DDF0540401880F339F5730FDD49119C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:01.739{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5C2D3CE05F4906C7CEDD1FAD9854C58,SHA256=4552213B4D3FB3BD1DA5B8BA725358DFB529AE5CB5BC97050BEF158EB3E50C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:01.536{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D3D794B855C12F776AD7842DF59566,SHA256=A4041425FD70946130086B006A4AF19D4AA3E0FD74F03A9BF2D5143DAA5A2055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:02.567{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD07B7FFD01F20F25F8396CA54E23F,SHA256=C628977324FBB8564BBAAAAD1443F90D54F785F8030CAEA87CEF89586D374B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:02.627{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5521D46BACF8B4202DB834479D684289,SHA256=4115436AF3CC4085981ABE0688AA83B2C7B0D688A123F47A18763992741B8B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:03.831{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C1A70E5EFD6B6B7087F798A1DB60BB,SHA256=A3CE35E586789EDEDBDC472338AB8A182B11FCFEBF25D0A55748AB668ADA53A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:03.636{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEC272B2605EAF13CECA201BB1A6B5A,SHA256=68B434EF2F9242485CE4C5FA356A3E6D7C9B7271ADAB2299FC6224AF1A3D8D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:03.569{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BFC7285A23FA4FC0D8DEFF9D1A0A4C,SHA256=8BFA2D48EC480263A10DCE9A48687CFB9979FF62FDB0E1EE01CD27A1AF0C2183,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:01.418{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65126-false10.0.1.12-8000- 23542300x8000000000000000553735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:04.631{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC505D678C2816F9723CA909B1321E1E,SHA256=289C60A0CF15F2BE372B4CD558E037AAC5E17F9F82D573BA400B1BD0D4986C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:04.647{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9624D723A86D79992AAD3E78FF44FD1,SHA256=035A359285CDC13F15CDBF21E007B1946C90B05E354F51AD88795B19C6125609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:04.069{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19324288249359CCAB620955392C386A,SHA256=F6E758AD7591CDD0A66359977CE3D75C011251318B1B7DDEAB0D5D7D0379567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:05.647{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EE5B74ABF229BE30E14C4EB3FC814A,SHA256=BE0FECB8F4BC9DDA2F9556A5E0C7F9170399474B57B90A275135C12790721119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:05.667{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB15BF4FBD24E2E6814DEF6899EF0439,SHA256=FE9E48AB9C565E6F8847C269A81E372A48315595F2F6E9F995CA124BCA999F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:02.680{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:06.663{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2F23A7115361AD08E4A982D6D2A047,SHA256=003B5D11399FFAC1EAAD628385D825AFBAB1F4101E682C2763DB65C9F2930CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:06.687{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB7AA0651D82A2993210CB76A075C34,SHA256=4D90FE2E4CC3CB9554471811048A7AFADBEF319C5DC9E5010159CD92ABB5F6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:07.691{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6304606C6920D0196DB31D4B109BB630,SHA256=F7B6C5F31C37266AB06D922E1FF54816E0E3EE6971E51CD142210D829658B035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:07.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE0955317BC1FA866C15CDD1C509ACC,SHA256=9DBAF3F887B36AA3EDC0D6B9847E85B67D774C06495B999EDF3A3C2F6E1B4F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:08.725{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=04663B785D24ED332A1AEB744F00A3B7,SHA256=F83E7EBE155362AD1DC107935F33E85DC3D2D4859139EC2495B503ED26A271E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:08.710{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E30C3B6CC70F68973874DF6C824D10,SHA256=A2AF23DBFAAD11EC3C3AE3A3A2930A1339AAB6A20943046E99D133FC6C527999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:08.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F567735B8BFBDC09E1A2D415FD782BC,SHA256=9C2CD9F54CBD7E27514B22BC666FF670B8A3CD3FD0FC0C2D01EED7E67E7C7883,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:07.255{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65127-false10.0.1.12-8000- 23542300x8000000000000000652137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:08.028{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9BB365CEA3CF304C1EDA89BC4232866,SHA256=55120B0E904F476472E5E3D0FE2AA5588CF86EA5185210FCC434B73D701A117C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:09.772{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342F5114B482D42651BEEB04F32B7EDD,SHA256=22265C42E53F1D2031036CACC66DAEAC3071C44785B9820F99F5013BAB5BBDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:09.727{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC60C870E5BAE5CE94F958F7B56228D0,SHA256=6BD9FD343416665B6ABF91A0F0AEEA28D1615E6FF88AD51B32587FD4B193080B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:10.736{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC114D97EADCFDE08E904E63F78A10A3,SHA256=D9FA6BA1BDAFE23BF5EA4C5D9F86791C41AA2E0D15B3CFF7139250CE84298E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:10.788{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937E26B1229697D35A98D5AB9F4CAB1D,SHA256=D7A24E3863C19A4379000BCEC1A5622BC8EA3501D92A8006ADF5CFF3019A6E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:10.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27ADE0772B8B04F97EC2CE8C7AFA6A3C,SHA256=3AEE6E23D30882C2D3DD7AAC77D6F146246D2ECE16E896EDA60F806D47074E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:10.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDCFA6B25905FC6BA4D7B6B47937D2D,SHA256=69F93518DCF09A5286418D49C5E7CD071E0336F5886DCC9B77AC6F79329D085A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:11.803{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E0F7502E44F6AF824AADB3EFAC15C3,SHA256=FF6CBAA75588B255A8637BF47841DFFCE89E901ACB13D6CEEF7C7162DA6D51FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:11.762{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE48BC63230767393ED53B856DE02F2,SHA256=D3F86EFF22C058BC71006ADA18A1C4569367CE6FC7D076FBEADA9B5FC1CB65B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:08.665{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51593-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:12.803{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06943A2372BAD54E50F73C6D1531B026,SHA256=3F261632E309DEC311792FED681A6496D5B0511C7F0D31460D7F1F173FEC8316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.925{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA47D983A577FBA3507974165BB9D42F,SHA256=98A268EC093D63ECAC403026C40E21DF344E31DD8B6DCC2CEF066DE8B66F3410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.767{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB2045FA8BB062A9D0ED32FC27F4E49,SHA256=47BCBA66C5C20379385C4FCEB131A92A859376470E212DA10D03A7D2F565F358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:13.866{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F6D73A2B9DECA183BB689C58DF08D8,SHA256=257B7408CF7C5FA1FB8733ED7E294CB86AF3C1A0ED2FABA8B0E2445561F8BBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:13.773{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61956D426164A4A54FD3036AE247CB51,SHA256=416870165C39B196420A31953034C28A114FECA250A0176A03E18A79151606E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.157{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local52294- 354300x8000000000000000652146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.157{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local55498- 354300x8000000000000000652145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.155{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54424- 23542300x8000000000000000553750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:14.897{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76ED34795CB836DE2C2275F7B1DB2D06,SHA256=374D99000428951157B9512CFA1533713D81497E0863D64B45B71F3340FC0A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:14.780{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD41D76622709DD026EDB6BEF2F970F7,SHA256=5430069296751708C4288F7971CB9BFDF85272CA43E8DC191AF3855E78929AFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:12.401{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65128-false10.0.1.12-8000- 23542300x8000000000000000553754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:15.913{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475E864D2EC6B95838AF636C0D0D3BF1,SHA256=779819CA5AA12901FB2FEE0D8743BBBC97449DE7366FE74BCDA9AECBDF177AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:15.791{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5614EB13C7BDF4579F44C1A9F64DF58E,SHA256=E2015C9B5499C5CDCF5776D4CB321DBAD286D8C4FE506108CF702B1CCE1A11E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:13.712{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51594-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:15.085{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0F28EB918BD4D1B27B7A53260D5C0C7,SHA256=9A3E86931E3C36EEBCB479F11F90A1DBEC18472B7E4F03C38F7D9119C1363807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:15.085{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27ADE0772B8B04F97EC2CE8C7AFA6A3C,SHA256=3AEE6E23D30882C2D3DD7AAC77D6F146246D2ECE16E896EDA60F806D47074E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:16.944{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF99EBF3FACA917FD0BA81F8DC2F51C,SHA256=114C9845160C55E69E3D2CD978B03E6C42C6D22B03D5E34E9D8C47E37E6D93FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:16.798{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39B20632AD21F76FAE7A2D36ED3F08E,SHA256=ABB2361FE4E0DCB605B10D36AA76CF8D6523B1501B729857C0600D15982C5893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:17.991{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AD24BF4847F4251AE165760C2EE78E,SHA256=C5845B4E8F690B6395569E1693B6ED289C55D1E13D5194EDEDF013C1A20C0CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:17.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CF9DD64FF302DB9879A1AFADA3F57D,SHA256=412D93885CA49FE8FC45148929ED53C22034AD1CB8C3A5672EAB098A3DFE0085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:18.991{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB979D07FB194D75A5930E962320736D,SHA256=560AFAFFDA293C72474818E42446FE1B06D613F90A3C69989F3244DD4596C7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.837{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3592066698E5E817FBAF0ACDAB8450FB,SHA256=1A818174C1A34C0D2ADE16927C6A8908C7F662F2EBEFFEF6C113DA10F2E57BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.808{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=468B25ED7E3D37F35BBCC5211867033C,SHA256=5CBFD7FAC47FA057D7BA563F64D1CDA35509334F87C8FE09A4DDBEC705000A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.807{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FAFFAB691B957D77F9791C904551BE6,SHA256=BD6185592D1B1DAE23916C171B1B65B4CCEFEAA04F0466AD7E150BDA75F98064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:19.848{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0374933FF10A1C852855C6BE135A77F7,SHA256=CF636B18378DC82583F3F9DECFA199F0B65D307F77B20A24DD50A016D2A898A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:20.853{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776AADCFC50D73891EC9FE296B277D3,SHA256=0FFC1B63FED78393204D7E259D21B4935F512CB16630C5EA5E57CA721E3AD402,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:18.292{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65129-false10.0.1.12-8000- 354300x8000000000000000553761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:18.727{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51595-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:20.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B06AA4FAA1453966D0105F4D3F63F797,SHA256=8EC600F85E25E5244B34A8EEEFC96967B1F7DFC630C8D800ACDED82BF2173B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:20.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0F28EB918BD4D1B27B7A53260D5C0C7,SHA256=9A3E86931E3C36EEBCB479F11F90A1DBEC18472B7E4F03C38F7D9119C1363807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:20.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A578D72259D22A72C741421ADEFD373,SHA256=4815C881FE7453C0AC934F9E94A5EE44D66176CD34F0548B2B1F8EBD80C12F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:21.857{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C0B3638D9FC55A3073311F7A006F0E,SHA256=66B4575419A5CCD6F31E06BCE951262FD1B3CBDEC188F57E5B93805DF268A588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:21.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D83626940868F8B1BC6394B7012B0F7,SHA256=29DFCF6379122B25F8F47E9A3514C29878DAAC8E133A4647DE0CC3CC4027F6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:22.929{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:22.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2981F3D240949D7273C32A67BC00EBFC,SHA256=39A63BFADB75B868042D6D89A5FD611C7D4802EC249AE57D6666FC5D4EF2C7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:22.069{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8531A63638D2F7451542F7881AC3BD3,SHA256=F44603064B57F04A203676769214D14F88D47C83F8C2ADCFD29791FF629A2E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75647B13CE6B034FEFF9BBDAF193B01,SHA256=39874BD905691CCB5015FFFC75022024C4EAFE6FF2158D941A819F346502AE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:23.094{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D6D192413D361600DAFBCDF4CF3D62,SHA256=BE6649569F392C444B00DD2EDE9FEA7068C96CD2079D1E19185C2CCBE305E100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0F3E31D3486E16364890729BEFDD36,SHA256=733BE029E235D454B021F2ADEE14A7CFFC65B2D332DC528D626B307D84CFF2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.815{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=468B25ED7E3D37F35BBCC5211867033C,SHA256=5CBFD7FAC47FA057D7BA563F64D1CDA35509334F87C8FE09A4DDBEC705000A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:24.903{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74F998CF3576F3181B9E95EC44C0CBA,SHA256=A0B546BBF4425780CDB263B78B2BF198A0267F0969A30C1B3407B44DB5AE9D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:24.157{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4492939FD0B6D1A538AA9A7B2A42C106,SHA256=5F538C385F02740D36BA82FB2B617E9F1E217C08B50D944BAE7EE048AB9AB438,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.142{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65130-false10.0.1.12-8089- 23542300x8000000000000000652171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:25.927{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84A7F604FF9B6715A457BB7CD3B3F73,SHA256=F0656EE11F8A659D849EF6250FCF9F1999D1A27F32017548DFB2C1A5FBE93432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:25.157{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC48A12774222D374BDBDBC85E59E26,SHA256=93404ACEB49206DEBC8884A0018C56443AAD96AE1AC6A440CCC343FDAEAB73BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.554{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65131-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:23.554{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65131-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:25.099{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0F3E31D3486E16364890729BEFDD36,SHA256=733BE029E235D454B021F2ADEE14A7CFFC65B2D332DC528D626B307D84CFF2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:26.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA22F13B0FA3AC962F0B42787A9A2B7,SHA256=BCC53DECF09D0637BA654998E34A6ABE351496D8546794DACF456C819244483C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.907{E1BD9FC2-693A-609D-514E-00000000BB01}20002828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.782{E1BD9FC2-693A-609D-514E-00000000BB01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:24.753{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.172{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EA0C6DF05B47F36ACD8AC15C4E25F1,SHA256=D5A53D4D5A15802453E4C7B6B87076EBE0439FB4E47FC80D00115121C536A364,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:24.328{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65132-false10.0.1.12-8000- 23542300x8000000000000000553768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.125{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEBDC2B33B411D7C6539A89EEBB711B7,SHA256=0D68E3554A8A061613158D0643125D26AD8ABA7824F2093C5A9DB4FD7ADBCC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:26.125{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B06AA4FAA1453966D0105F4D3F63F797,SHA256=8EC600F85E25E5244B34A8EEEFC96967B1F7DFC630C8D800ACDED82BF2173B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:27.960{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C000A52A67B7899FA4DFEA19A7971D,SHA256=BE28E35A06651573D639AE213924CA98795FB4B8AAC2401E3DE379A515698DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.844{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEBDC2B33B411D7C6539A89EEBB711B7,SHA256=0D68E3554A8A061613158D0643125D26AD8ABA7824F2093C5A9DB4FD7ADBCC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.563{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.438{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.439{E1BD9FC2-693B-609D-524E-00000000BB01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.204{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7319939DC2F916B1B551BFF65DE12654,SHA256=7E9D7C23FD7EDE42AE73CD40071A5F143DE9C6C954AA2DB2A9A7522C1DF1290A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:28.967{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1BDD0B4501E797531B9EC69A8BEB59,SHA256=FAE8D6A3F8987122BFCD3E18C266AB96860E69CD2710DBBC63A82E8384FF31D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.282{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74138D8F9166AA967E6E924A4EB6FF11,SHA256=FC6D169C56357F9584F243577406E11985D3A3C03DA52EADFD185429F3AF4989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.063{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:28.064{E1BD9FC2-693C-609D-534E-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000553817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:27.191{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000553816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:29.297{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F657BBA448FCD0B5F041E4CD7BDAEFC,SHA256=C529B80FFE7F050E6A8CE4E073F265E20122A29605C26AB9CF81C2825A6A0E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:29.094{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4B5E12C002987E8E9EDAA3F1C10C04,SHA256=9AFC0D5CF4B785B6A392151A3E77BBBE364813455A5E4097B42789829FDED4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:30.313{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62ADAA3FDB950EEF055C6B090BCDD49,SHA256=52309E1A62930742D743DA2F8BA5710C9459ED276620C0BCAD49784AF000F7A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:30.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D906C05037E4B76545929885ABE9EFA7,SHA256=BE1B4CDF800E300B0FB24DAC4FCEDCC11D70D721397DBBD0357A881E8BB09226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:30.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F648FF92A96F7AA215C62BE6E99FE26A,SHA256=650307F38FB6B2045BFD6F303D8DACD6B7C82B55A43D970D4E3088F590751D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:30.001{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA46DC00695D73C0F962D96BE04B336,SHA256=D27E90B6E28B8ED00815E9DF5F1A5AC02ACC50899D901EA8B3CA8D3452CFF726,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:29.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51598-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:31.313{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7854F0B3199B820A496D49797AC786CD,SHA256=BEAD761F0905B1F3F2DCCC656512EEE56CAF771DAB48895A3B50D97E13B03BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:29.440{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65133-false10.0.1.12-8000- 23542300x8000000000000000652179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:31.008{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017EFA4C290018841FDE4F63F914C019,SHA256=F7706D07FF656478238AC48E314D99B08C815050057C8E2E7FEAF1C79AE15981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:31.266{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FD4D4744E4AA2F3F4050A1E10CC1711,SHA256=DAA4869B9FDDA6BCB5298877FFA38AA2C7D39408CD4B133F540412E8E8CD9803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:32.018{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A433B8184EE83F10B1D7B7A4F49862E0,SHA256=5BE20C2F88A014C947970D87A714E2756B7DBD91AB220BA16AFFD7C4308EBBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:32.360{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3C7B3B3D4A231101F57D1E3A289735,SHA256=8B6E70BB31C4DE0517588E1CA4CE0ED4339D3F578228A539E7F60E39D728A663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:33.360{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B935671FEC36D4E1B7AD8405F0D40FF,SHA256=312589C96564527098CE2CB1B3AFA117AA6AAB61454621FC00FC46626448DEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.883{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D906C05037E4B76545929885ABE9EFA7,SHA256=BE1B4CDF800E300B0FB24DAC4FCEDCC11D70D721397DBBD0357A881E8BB09226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.036{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13101DB2B20D3504DD0C251DAEFA09D,SHA256=615829F2833DAD9CD8A98965124E797E0E516AACCB3DEAE8AE61EBB9CB07746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:34.391{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC30891B02BCD3D1B745180A51274EF,SHA256=C7F6FC0B70114B783B5B1309C5FBE4FDFB3760C69A5879A8CDA7BC4DFA095D2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.113{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65134-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000652185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:33.113{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65134-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 23542300x8000000000000000652184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:34.047{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705A41C93774F62A31F86E4FC906F17F,SHA256=9C28D89520D07C6DDAB33A92AD67FEA4E090E4EF62884F8CF5F38C8FDB8D1B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:35.438{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB719FFC972FF187380FD4EBDB8B43C4,SHA256=374FE03253BD6F45A1F95275F851880121E657083E8FCCD61DD38D702BF33CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:35.053{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676A948F12613C07ABFB9DF5A7025DCB,SHA256=CA2888B53F6B5BE86ACD16CCF01C1528C55B60874CA5B6C5A2296CA730BC8038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.797{E1BD9FC2-6944-609D-554E-00000000BB01}8082848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.672{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.673{E1BD9FC2-6944-609D-554E-00000000BB01}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.438{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991A81A8E11B792A057F578F73F3D1F0,SHA256=8A3A5E4CCD6F4438C1A8AF007701D839A19F6E5E403F0D89C172358E02CAD361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:35.275{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65135-false10.0.1.12-8000- 23542300x8000000000000000652189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:36.070{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3301732F5175F3AFD97328B53985E3,SHA256=9E6E762189E7A5404CD42907460213ACEB0A4CB44C582E27605B6449C7D9D1EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.157{E1BD9FC2-6944-609D-544E-00000000BB01}36763976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.000{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:36.001{E1BD9FC2-6944-609D-544E-00000000BB01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:36.046{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=318BFBB491E27A19C2A81E1E929E2044,SHA256=51E6FD89A0ABB4C12312D12448B9746D2B3303965288292784A356D528918C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.641{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F50ACC65552D8FAA31051101AF482D7,SHA256=335C28BE0187197DD95D46B9AE9F694BF78B6E839C974AE482E4F121D716746F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.469{E1BD9FC2-6945-609D-564E-00000000BB01}8723940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:37.077{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F627D6F08964F668CDF812F98D71251A,SHA256=31F46D4A449CFC8EC245FE8B87CE3B9BF8EBECEB1A6016AFF6B7176E09B50568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.344{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.345{E1BD9FC2-6945-609D-564E-00000000BB01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.001{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD10A34076AA16EA225E564787B132B,SHA256=2D182A226075A578DC6418B540C2F96670A822AA372121F08AF237CF5391DE72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:37.001{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1012499149A6594331A7F4CB00A2231C,SHA256=EAFD6B789F7EB149167C3D08896A3FC735C69BF38E0FA6335A1BBB2509F5C737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:35.799{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.485{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7B43A55CA0784159DCC70DC9936286,SHA256=E5E749DB5318FEA0D58A4BCA64334A71A2DEBD79F7B85F957721819438F12FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:38.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35D052533755AA985DC6DC45A3EEF16D,SHA256=5E07CFEA72E177052BC771B4641D2DBBA5B42EDA4A8B11F982E1CD72689CD9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:38.100{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655348D38BF8E7DC077866F40AA9BD0D,SHA256=7F9C1FE7F445FBC0F758751408C2973DC7901BAB2C45C15F112A3BBDB49823ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.391{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD10A34076AA16EA225E564787B132B,SHA256=2D182A226075A578DC6418B540C2F96670A822AA372121F08AF237CF5391DE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.016{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:38.017{E1BD9FC2-6946-609D-574E-00000000BB01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:39.516{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3677359E6C83A9FF4F6E87295E8A76A,SHA256=EA57F7D09D09E74DA2FD13E31275B518FFB61F8035A9D7A23FB3CCB60BFA0DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:39.113{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28739BA314E47637387DA15DBBF13238,SHA256=D7647DC54BF48DDC19DFB9DBDFC12A83B0CF80EA48F37DE5F885D6EAB74D29CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:40.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9C6593F9AD49F1C49C093646CD94D8,SHA256=6357E3A94A4432B910704462B4F1657601670402537513D703C7197EA2E55AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:40.124{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE342A5E6A806B931314C39E357C3B08,SHA256=F900221FDEF5C4FFB5EFF7AEC24ACF5F4692D72D714D5332D64B075F0A705871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:41.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A51FA46A727DA58178130581CE4C92,SHA256=A788EB05432F55B8CC6493F3311FBF07573A7784948B725E95AB9E22484B9E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:40.473{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65136-false10.0.1.12-8000- 23542300x8000000000000000652197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:41.324{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8326F91660AF723F03F72E31CF5912B,SHA256=F22FB6C4898F411347998D331F00A4051C82A4429E23F5047FC5B843C84CFE58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:41.134{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD5224590E84CF0EE67EC1A6D5EFE3D,SHA256=8A07FF48A91B65019E72C6D3D9D1388FD2ED1689143C504F628EE152F96A2426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:42.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706F02DDB012E54DE034E2CAB749B603,SHA256=0B9804FF28CBF82E38A55793BB8E80A5C218A31C7485DBB9738B266028C81077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:42.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2776C7C4EBD65B2849BD14F7890F30C1,SHA256=656D5FB95A4C05AF56E82A5AE923477BC6A3AF6C2710B996A3A8DF7B220AA2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:43.545{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4EF0BD3A0198F266E7D48F951018FB,SHA256=B74E4E86841EC0796B2857423F5EC65408AC234C3C5C8065B4AA55C42690B11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:43.823{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E81FAF64B7CD5EFF4570DB3A41F81470,SHA256=421CFAB436AB0575D3858E9EC33F96A027E7E07ACC7AF2C7D00615B5C5F0D31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:43.155{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2075F9739AC38617BB7CA0EFDE6B9CF,SHA256=CC394BB575F085E29278A8A27B340F9467214C4641F5B23E4B4D8C0EF89ED58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:43.123{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55797CF18701F58E2FC805F187756B5F,SHA256=B6AEC9EA8FA7DFACFF5D14118D96FFE7CCFD944040DECE9CEBEDC5321B26E620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:44.561{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F549AB474DA9AA168ACB43891E3F6D8,SHA256=B8253A695175B9BD69A55CFB35DE1FB1059B77603642209A50054390DE5E1675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:44.507{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa23d505.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:44.163{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89387B076B54CFC265629EE2828D2F89,SHA256=C4696895250A95A772966B88084281FAF0F53B53DB2D92250906DAE26A46D235,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:41.706{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:45.561{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD111AFC4696464590052BF5C0922CF,SHA256=9587789B0FB9F551DA92E80F3D00B86BEAFC2CCE5A2A1B21D003D60E49C0C0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:45.173{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0317B30DBB5AD358DB7D212B43AF803D,SHA256=C855767C3BA90B1CC1075A2AEFA76F448809AD4F8556F782462B48C9101CF1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:46.623{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E534C1F00B668FCF3990D5E848C4920,SHA256=D59F7E85BAD237DE8123C4A5A5F850C69F36D72740961D4C3144860E0598B647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.938{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.935{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.934{7B03F3B2-694E-609D-4253-00000000BA01}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.460{7B03F3B2-694E-609D-4153-00000000BA01}72447792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.266{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.264{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.263{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.263{7B03F3B2-694E-609D-4153-00000000BA01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.187{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CE830B3C3CBF14D12640E071F28A16,SHA256=8F03380C6BE043F5A81C38188AE7D92DC373532F7396C584C875478053297819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:47.639{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420694F379E6055F88AACCD13CA0C76F,SHA256=E602B810E29217DD6AD79743E00C4BB0EB642F1559DA239E83D2D67FD2E18F22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:46.396{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65137-false10.0.1.12-8000- 10341000x8000000000000000652232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.531{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.528{7B03F3B2-694F-609D-4353-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.202{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E2A03EAF86C82088DFD34A430BDA43,SHA256=740183B907FE9C30C4E85C97FBB3C6A11A0179630DA2FB416D405C314B1ABC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:47.173{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE3ACBF20EE7CC8D446C2F61E993702E,SHA256=82C48A12BB4A05B9A034CAEE3749C6E2EE2D7FF771D9EE3BE3A9687765B68C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:48.654{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE9E02389E25EA14D5AF8675DC99FE2,SHA256=B146B82C588B0458AFB2571643E88C673BE61A6CB711935E68DBB64466C3DDC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.600{7B03F3B2-6950-609D-4453-00000000BA01}9962060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.536{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A55C098AEF7AAB39E6E5D2BB49A57940,SHA256=5739AED666EE87883131DBF5553F0A6AAD434F11A36BA292F741DA112B9CDB77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.451{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.450{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.449{7B03F3B2-6950-609D-4453-00000000BA01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:48.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DCBF7F4A4D96970FA4487B5760C56F,SHA256=81602E41AAE4B186CFF8023B0CBE73F9C48E6FD6837C14EB89156DC588BED155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:48.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9551F58B7005BFC94FA0CD3CDF43A0B,SHA256=C236BB861C1E19A4F0B23A25633700DCE2BCA083474C70271BD6AEB2C972AEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:48.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF19ADBF93F81D8659FDDAE36887969,SHA256=9681F84D9008FE195480EDEE0F73BF5624F76DE2C1A1217984953FAF322B60BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:49.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518E1F4B5CE0999764073A1892D151E3,SHA256=2B7D87A741AAC7F04782A1EABB680BCAF431378FA6D85EB747A1178E777C1C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.608{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A108ED7601D0B1A7FAFF4DE3E522787,SHA256=F8ECAFC507F5E4B83683D197033404DCD3A43B4299769DABE2F1180E3875FA0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.292{7B03F3B2-6951-609D-4553-00000000BA01}41245324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.239{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237745DE652D8944D1CAF3370D6A1DE7,SHA256=6E7E297E6A135F7C98597B69190146313B61B5A25242840EB74FA5E7AB5DBBDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:46.719{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000652252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.127{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.125{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.125{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:49.124{7B03F3B2-6951-609D-4553-00000000BA01}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:50.732{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E583641CC6E93A29CB90BAB6C531BC37,SHA256=7BBD0861C57A0E5764F8A159F3605C3EFF9E1067AA8DA98EEEE25F48DBCF536E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:50.262{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E91FD4AB898F345A086BEF74E14CB20,SHA256=BF6E548777181AF77E70DF2EFD5DD4A74101740EAD82C32A33AFB7EC83BB7C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:51.732{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9596B8F45BC976FDD3F59D20F91DA401,SHA256=F00460BDE81008D35847A80BC6AABADB7FB221EF7ED2A43468D07C86EB40598D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.986{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.984{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.983{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.983{7B03F3B2-6953-609D-4753-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.382{7B03F3B2-6953-609D-4653-00000000BA01}33646308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.284{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79E492FCDC9ABE3C73F059865B713F5,SHA256=290D0E849DA4E5566AD9E5D4C000885A4A71265662A88CB6B0275B44FB4359AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.210{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:51.207{7B03F3B2-6953-609D-4653-00000000BA01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000553916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000553915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a1c599d) 13241300x8000000000000000553914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x87c581c2) 13241300x8000000000000000553913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xe989e9c2) 13241300x8000000000000000553912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4b4e51c2) 13241300x8000000000000000553911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000553910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a1c599d) 13241300x8000000000000000553909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x87c581c2) 13241300x8000000000000000553908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xe989e9c2) 13241300x8000000000000000553907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:00:52.764{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4b4e51c2) 23542300x8000000000000000553906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:52.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8171D710546A9C006668A5CA3353101E,SHA256=38BD7658200349B5438F05CBB17912B968005160A7991D1515AF025EEC6E6693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.905{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F947B3BA47EF6163E736B5CC8FB6E5BB,SHA256=BF6152EB674ABEFE348099171D55A2F1B69A17C3898793739A50AA8874811E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.294{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A13895EA184DFBAC20862E3B221EE3,SHA256=0280A003ADD4BB663023FCC5AA9FA52895FC4ED23DD32B61CF121AE20D15D2C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.224{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44FC4FDA09CEE8B8517894D2D50904EA,SHA256=64B08E594102F7ADE263AA78724E130B0B6FF9AA5E51C47D2560F33080A967AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:53.764{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC433579C9A06CB0F541CB765C1CE00,SHA256=9C111B5F9284C822F1B525C7D20E18CDAC2F0A2E06B7BFD1B8AE88ED0A30C3E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:52.338{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65138-false10.0.1.12-8000- 23542300x8000000000000000652278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:53.427{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DBBC70561264617598D95AA3F57F66,SHA256=CA04F99E03B5E71AD976D1A272379B58A7D030F745EB734CDF8E30A734E004F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:51.781{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:53.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844575E415A19EA968D634142019E3E5,SHA256=6E5DA4EAB7D0313CB75E7EF2270FC629C8FB2A59B2E02E11C94FC3FCC62B9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:53.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9551F58B7005BFC94FA0CD3CDF43A0B,SHA256=C236BB861C1E19A4F0B23A25633700DCE2BCA083474C70271BD6AEB2C972AEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.811{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074ACAA16695CD933DA3D32A4C7BED2F,SHA256=D59C2B0492A79DCBC203226A162D1F3323274C59A8051D712E0A6A027CC95E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:54.438{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1089FCC275BE384D5D9E6926D6A498,SHA256=CA54C9837AD6753D4B2CC2ACDFE3B2B2528B21805D1DD2D3C469AFE9A9C32F72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.404{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.404{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:54.404{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000553925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:55.827{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8178F7851F310200C5C0B45CD384C6,SHA256=1A5A12398B5F026AB5B233E3A7B33C1A4A6527CC04976D8B321F751A5CD76BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:55.449{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBC05D11D09D822F0A4FD5BD441A179,SHA256=23D2A998BEFE744E8AD437F4E9B8F5303C72D2FA0CB372992D9213B8C14A7505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:56.841{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00675247DAC0AB2614B322ABAD92E1DE,SHA256=106D9C938533822D6C38C189EF2A721ECBC9B6ADE1FD85F1E46A0514EBDE695A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:56.454{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB60F00589C9C59F5E0A4B1A9112146A,SHA256=59E354A133FF5B329F06D85E04B3B29DF342D3C604154F683B724527A944DAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:57.842{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66790D4AFB2EF305E775924395407B40,SHA256=F058EB17507864C2338401EBA1487E637576C254FA4B319315284A5238803008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:57.466{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC1981216ED3B77FFFE6780945E1168,SHA256=8A094AB6FAACECF793127A72FB08405032A3D142D7C8D91A129FB3CA85399A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:58.842{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81D8FDF6898DB88512D84338CF59D8C,SHA256=4CDA46CA89A08E013834D7E5C8EFC8FCBC173E10E41B27605C66361B587E5182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579DF06CEA9755FBF9C04CFB49AAAF48,SHA256=014431B6156A365FA9D4994A469BD57727370BFD109AEA67BAECF242C6C13431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:56.811{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:58.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E319C417848A62746A86F4F47DD57E82,SHA256=E0AD40E9ECA53EA4FBCBEF1372793AB5A35C70E1ED1C052C10FD9739D85330F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:58.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844575E415A19EA968D634142019E3E5,SHA256=6E5DA4EAB7D0313CB75E7EF2270FC629C8FB2A59B2E02E11C94FC3FCC62B9EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.312{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\aborted-session-pingMD5=5216D922996B57BE5B16DD2B588587B8,SHA256=A3A41E3766B277C93DB37120EB6F4E14C19E40C150EE569CFA852644FC75CDC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.282{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000652287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.282{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.282{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa240ada.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.214{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08102E4FF895225D26AE1B4C90ED902A,SHA256=9DA68B5E8C17693013219E8C2E7F13A7BBFB8925E85049F3E107E47A52DE22D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:58.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0D0E512FDE671F5D172E5868867B3D1,SHA256=C1ECD7F51DD4E05FC70C0CB89FB782F9AFD722E30AC0EB302036AE234FCAA106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:00:59.857{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61808D3BE16B11888BD62C91B60214B3,SHA256=3A8140610DF9F61D66EF6818F8C38DC4B9B1B2DC4370E71C5AF0FF963BA04D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:59.497{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5EE762623B6E06EF04A75CF3D61C6B,SHA256=66E9607E39FA13CA328045DE1874CED3057309519FD1EB86BC7032C667EF4E33,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000652301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000652300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a240ea3) 13241300x8000000000000000652299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x8bc0e5dd) 13241300x8000000000000000652298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xed854ddd) 13241300x8000000000000000652297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4f49b5dd) 13241300x8000000000000000652296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000652295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a240ea3) 13241300x8000000000000000652294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74819-0x8bc0e5dd) 13241300x8000000000000000652293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74821-0xed854ddd) 13241300x8000000000000000652292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:00:59.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0x4f49b5dd) 354300x8000000000000000652291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:00:57.440{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65139-false10.0.1.12-8000- 23542300x8000000000000000553933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:00.857{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C5DD702A16F61B3F686E2E77E62CEE,SHA256=F93CD5689B1BFF34B113467CB23BE610573766DBFF411BB58042A0F529B59DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:00.519{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160E016E3E682896B9F401D325B685D6,SHA256=1231FE80D1DFCCC40AD15A693985F1F2A01AA18AFE19B276EA7A22F27A74091A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:01.889{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29E57E484E0A194889904E864E0DB6C,SHA256=B63F894145F8BE7076BFC9FBF1D19188CBC11BBE60C0F104C728E5C50799C407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:01.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED41A0BD6F3153BD9062F46102339FAC,SHA256=20A4F9C1291480E5824728DF196D6BAADDFEF1E575BF5ED881151113424DB459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:02.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67083965635652CD0DFDEE09B007A6F9,SHA256=EFA7BFBA1BCCDABF252EB0AEC4C4C1473DA08B89D0F172310EB0CAD8CEA4004F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:02.592{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E716A8070C39F485A688CA138DF5AF3D,SHA256=644AB136A98A67C5405E3802A614BEB7355BADCD67ECD945E1A5D6F308402102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:03.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB4DC10E1DAC201F99193FC33453CC7,SHA256=78D34220A14896484EC596D6EF3688BE8FC12B64D76722F9A25DA231FF70B2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:03.602{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56529040FE4CC26FF439EE37679C70C4,SHA256=BC06846D2AEC77FE98F9EAC21AFDCD88CE69E164677950D048E5571AB9B59F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:01.844{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:03.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE851FEE5EC158DA44B980DEDE3914ED,SHA256=6378298F0AA13EA2FA5A85B239849FB002529EB73C83A3EA31E2A505BE8F47FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:03.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E319C417848A62746A86F4F47DD57E82,SHA256=E0AD40E9ECA53EA4FBCBEF1372793AB5A35C70E1ED1C052C10FD9739D85330F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:03.305{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FA7980A8AC46AD0012A1F7521EDED93,SHA256=ADCE4394F8BDEB16D7DD69E796C91A0AB3D9E1087EEC9059059471C8F91D4A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:03.295{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08102E4FF895225D26AE1B4C90ED902A,SHA256=9DA68B5E8C17693013219E8C2E7F13A7BBFB8925E85049F3E107E47A52DE22D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:04.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE03C4FA4E5497321AD0ED7F594AFB1,SHA256=9BA9AEC5FC228883F21ADD9E69EE48A8B58B1E9CA1A337BF831C404F70C89D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:04.622{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50C83AD253E9220A2033AEC813D51EE,SHA256=CBE8A8A514CCB2D72B95ABB91C4E531B5B02B2CB080524F04DBC1A9BD25B4566,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:02.480{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65140-false10.0.1.12-8000- 23542300x8000000000000000553941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:05.983{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F259AA5A245E033D52F8CD3BC5F5090,SHA256=AC85441F94575028E78330650486E34FEBD6ABF5CAADBEC9988E290342362E05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:05.692{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:05.633{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FC2787BA9F60628F7443976E50DA14,SHA256=4F45FDC920AA61CB0337FEBFD9AA9BE6F58CDC81D3141C1FD889C747F534614F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:06.638{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C24F393B7BF2984AFA219D93BA8E305,SHA256=A91D7B4CE755EAA82B238DA1A2381E60A89E13E42512C551CC74E751C54985DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.646{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73DCCF9B3A06E04E3921C74A29B30A8,SHA256=CED813EEB671CC40C01BF0009FB853C2282B8F201713BDD03815CD780476DEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:07.014{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B67AAF6EA6F37B0F63B9BE43408538F,SHA256=704DD2F8DECECDE07A46D442D0849C49D7E3BE157A171B80C08BB9D3B6084420,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.196{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:07.193{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:08.662{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535FF289D00C1D59079FACEAE6395AAC,SHA256=368667C1A43E41505034D70CAA8CFCBE912788529AFFC96E0122F18B57781D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:08.733{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3D654EE0870478C0FAD72E420FD14940,SHA256=D4378E8F7181B8C51390C697B84EEA23821741A0FFCA53D255A6250EAC4E44D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:08.061{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12993D4ACBDF2CEB39EB28410DDCFD3,SHA256=183FC654AB79B407805A08E2B19CE632F61F2CCF646A43450EE1FF49E43969A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:09.682{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403328366E6A38AC74B62F35FF381C2E,SHA256=84090490D1F77B856BC79A77BD3A551E295912A072E7059CBA25195F007C73DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:07.719{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:09.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0B9D28E5136439EEE85C6B4BE5A66B,SHA256=AFFEE5FD9B5EB9F85C19B4AA800D1BCD07BB8D83852B9BE600363F1AF0B203C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:09.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE851FEE5EC158DA44B980DEDE3914ED,SHA256=6378298F0AA13EA2FA5A85B239849FB002529EB73C83A3EA31E2A505BE8F47FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:09.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDC6C146993902AE108A497CECD20A1,SHA256=3F102659D12B80201D415C4B1139E1EE92C2413371C6BB909A8011A0A0D54A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:09.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2890AADF2390AD40E4AFED4D8F12BE62,SHA256=9B4C0A23D2D0C69CAB09FBD495FF248C69FED1FE91E21454F1CAFDD324F87C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:09.223{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FA7980A8AC46AD0012A1F7521EDED93,SHA256=ADCE4394F8BDEB16D7DD69E796C91A0AB3D9E1087EEC9059059471C8F91D4A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:10.686{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3845531193728F8B0F23B19111999F62,SHA256=B6A45CD831DE6A72AF0E2FDC1BD1BA2C2DF4E8826D6BA53B77B5867B0B51AC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:10.123{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F26E5584B8C4ADBE76CDD9F475D8AD,SHA256=5D30753A5AA99AA1FD848841A2E7C86591160646FD3DF740491DBFC176785AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:11.702{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3B06EA4C0DBA18CD53336201D21E84,SHA256=40E7AAEBEEE258476DE585AD5FE158F7D4E16AA064F8DBC2180D985434C7F53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:11.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3C2C58429448DE63601DF2CACC2F49,SHA256=1B6D03703905BB467F0D0A85874ED9C83EE509F563945A90FC71B07F2297F79A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:08.452{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65141-false10.0.1.12-8000- 23542300x8000000000000000652325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:12.713{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CB035B57AA040151425433E9781038,SHA256=2246DD9A851FD119DE342228D7C34EEA1EF982ABB77D96E381C85DBC3B173884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:12.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF0C271FD44E74E282F91FD6718F677,SHA256=86C51E698A1A50CDEB7AF9B4DC40264A915B40488C5F2D24CB033FDC09488BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:13.877{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2890AADF2390AD40E4AFED4D8F12BE62,SHA256=9B4C0A23D2D0C69CAB09FBD495FF248C69FED1FE91E21454F1CAFDD324F87C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:13.725{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC5634D4E3F4E7E25CB4452F15B6718,SHA256=C6A8A6C44639E4890088C3CF9230EC0D4585F7BE3052F0C12C9946B745CBE0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:13.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD40A016142A25BD56F26063719D174,SHA256=5911A9E3FF22807002F6A7557BD5FD689A87298612A30AC810E3D70A462D79CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:14.731{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC9F9EF47524D84D1243D2C1C65B64C,SHA256=C6470D930D6F72A12321ACCB7692564DF541839FFD06F08375E5AFA1D0FB4F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:12.750{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000553955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:14.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA51D210B883CC08C9862AACEACEE5F,SHA256=C650007BB1270668CF73B3F4E1991F9B50BEB631B17091D9842BC916DF0888FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:13.100{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local57053- 23542300x8000000000000000553954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:14.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C30CE5E046B788A63DCE3787BF7DC36A,SHA256=37C1DBCC24953A0C14A8F6F19BA1DD9AED2A7086A6818F16BA16F9C91A2645E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:14.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0B9D28E5136439EEE85C6B4BE5A66B,SHA256=AFFEE5FD9B5EB9F85C19B4AA800D1BCD07BB8D83852B9BE600363F1AF0B203C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:15.778{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0A1861C263E786AEA3A8A3416B6608,SHA256=D44AB03670CFE691E5561B8239946D99D09C862EDD2271FA2AE071ED70E80FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:15.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DC92ACC80D1C4DD394768E5D7F86A9,SHA256=FE167B1254E02956C6B467451D11A98180DBCFA4F1AE776A6A481036A00D2B54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:14.337{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65142-false10.0.1.12-8000- 23542300x8000000000000000652330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:15.127{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61F2361457659ADD870E650DBB637A35,SHA256=8389523A2F2EAC3E3F760B02E7BF61BAB882ED11D4D0BFA521DEF472382657A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:16.789{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72213F153CD2F492313D3C168BB9FB1A,SHA256=52ED553D81039F01645CE35F208402DE4819BA7DA3A9CFD0AB23433208979F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:16.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B15468B2423FF7E9095EFE87B5361C9,SHA256=E829F18D33D0D7D478C441775BA985B2930EA924F6A2C5AA19ED08E7EA20FAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:17.797{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACFA84E38B4899CD42538766EB9CA44,SHA256=B0FCD3864F5B948C949F9E44C2034570E3280CBFE305331B0883C0F706AAA54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:17.280{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA24E685B45CB14252722D89C698B1,SHA256=C7336F13CB4D1D70C181C779E5AA80BD0DD77FF4D76787ED72966741D5A63EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:18.847{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7003C3872D0352157C692EA9C4149CC,SHA256=9F2E41CF3D817134EA3E6065D94BB37C7001E6DB4275B3E7F8376BE9641FDF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:18.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2423BCA0193A949096E92A5874D412E2,SHA256=7C7241DA7C014C2B03E8B2D9169DC5237EEC2D3F9F9ADFFEC0170524A6F7B96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:18.311{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF0F97643E00E94762236292E67CCF1,SHA256=D75F8ACEBE75E04B79837B631642869CF4C9B2E81F8AA68FE3B8EF38163BBC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:19.813{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61B6A2594ACFEDDD3D7976F97AB7644,SHA256=185E110F07BD7C45ABE98F8AE146DD4209F233E33F8C007EE8F6F81F458BC589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:19.327{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EE3CD41133105B3A2911DCBE5CA46A,SHA256=2F23CD6980F22614BBBE777C12B4950B5D072F650299F1AEA34C87C2E7389887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:19.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C30CE5E046B788A63DCE3787BF7DC36A,SHA256=37C1DBCC24953A0C14A8F6F19BA1DD9AED2A7086A6818F16BA16F9C91A2645E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.852{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6722BF9882B7C829B1B3D7747690DA3,SHA256=2EE939D6EF7A40BF1D60E6EB8C78A03CAC76826DAD7A22F8DA2B508A6734DB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:20.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A339FCE1BA252D454F7A69EF983CEFB8,SHA256=B214E4DE74679CF60FF589B94BD542F0042AEEC00C173A14A624BA2E3F86059B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:19.370{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65143-false10.0.1.12-8000- 10341000x8000000000000000652371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.279{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.278{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.278{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.278{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.277{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.276{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.276{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.276{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:20.139{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00722ADDE5F64656A16D712A18FB17F2,SHA256=83D875BF194C0B2C100504271388C8DEEF76875167D16F96DCD5F83F28B64962,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:17.813{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51607-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000652374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:21.862{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DC71DE71FA55C3DAC498BC98B50FD0,SHA256=598409B9E6FCC558E3E10BEDC4BD3FD7469ECD2DD5B4BEA873E6CB10106B5AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:21.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E906FE9AE98CBD0F63DC03C15F7522,SHA256=992399AE7B314FA88343E50AA9C44F48C19A9DBC434995A1B3AF4B516D70F898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:22.935{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:22.871{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86336C83AB37560FFA0EA36C0AD8F75B,SHA256=7967E9B71CF1CC84517831554FBB1DDBC08A56AAA2F5FC97E901354B3AED7409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:22.373{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414A04DB7ECE87870EA80580D5760CF,SHA256=1140F2F2B63CC817BD4BFFC21B387AC53CCCE9F5142C3B37219FCB27C69235CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.945{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF848978021A2109741ABFBEB1B8DD8,SHA256=4CC0A53196C81F277C5A8F7CA317B4388F3DE1763619430700FE0275476C8461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:23.383{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA57ED49E588623B8A3C08397D8F606D,SHA256=D055C3ED080AE37E09E183138B5009814A896B180DD68052A4F943FE62BBBF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.853{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F4B4D81BE22EC1D3A14027318B957DD,SHA256=52424D478180BCD1EF0224517500AB662D3BB481D4D6FEE6C936B54A6E25BFA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:24.951{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96FF5E7B84FB63AC729EDA6DC214632,SHA256=30DE94C62385D4A013B3133FD49C6A94FB39555065D02E60D72FCF26D0BF06FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:24.398{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79853D56EDE88CCACE5900E55BE22F8,SHA256=8C20F429B0C08990DA23404EE96D95E8797BC69917E4946B32BE7027F2806A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.172{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65144-false10.0.1.12-8089- 23542300x8000000000000000652385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:25.957{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE4ADCCB3D070254416305781992512,SHA256=73FED5A3ADE1DAC8F54FB3DCF30427D280FEAE243E223434B5ABB61AC4C6E8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:25.414{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FCAC76C93DD4BFD2CB81B71BC84491,SHA256=ABD1278CE4208DBC1B165A91DA0879B12585970E02E79B55B7815DE992D23F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:24.386{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65146-false10.0.1.12-8000- 354300x8000000000000000652383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.563{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65145-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:23.563{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65145-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:25.178{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEC31C425414C19359505DC17CE0525E,SHA256=94CE0188F46040DD79A9CD403AB32E47FF4647CA6B87D08E969B5BDD6325AA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:25.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C15E2D8FBEA2BA654F91F2DF19A235F,SHA256=C4C23A79A8C741618D6558CA2267F4DC0252D5A3C79BB00AAB2344CD26247D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000553969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:25.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B63817FB112F6E47BA2A53D606D5F406,SHA256=00B8B02BD816219022D845926BB9206DFD45F3E334FB86DDF01D64DAC4C3D745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:26.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9890378A051B8C8668499219CF240E6,SHA256=FE0F5A5AE2AD3F859C7D01340A2AB67342B178D0503B16FF6E0145C7C2A452A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.789{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.790{E1BD9FC2-6976-609D-584E-00000000BB01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000553973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:26.476{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A18F99F7F7A18F0F85A28D464E7649,SHA256=03CE56605744AA1FE6C39528A7FCBCAE02DCB0F6C1E9F93930E60113EB9F9877,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000553972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:23.806{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51608-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000652387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:27.969{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D2270C8AB16BE62195A3D5F7EB1BFC,SHA256=AF76DACA88D1D92E717656DE1B11710717272AF57C66E220656B6AA20606861C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.804{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C15E2D8FBEA2BA654F91F2DF19A235F,SHA256=C4C23A79A8C741618D6558CA2267F4DC0252D5A3C79BB00AAB2344CD26247D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.742{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A410E3C833933CCED203025A07D551,SHA256=C196A41C87161D60D40A9E5AEF774D5D2CFCACC0342FE51816BD43867F2469E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.586{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000553999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000553988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000553987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.461{E1BD9FC2-6977-609D-594E-00000000BB01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:28.985{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4CDAA362B1C3ED3F19239B4D8344F3,SHA256=EB578344301AB165423DD5FD263866839B7214C5D74C87E9958CFD304B12B287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.617{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3ED32603A72A1A0AB9EFBAC858910E1,SHA256=93D751911887E1F65B8B8B4A835D1105FC450D53C5C4C90673087D6C5F36A4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.258{E1BD9FC2-6978-609D-5A4E-00000000BB01}19762664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.133{E1BD9FC2-6978-609D-5A4E-00000000BB01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:29.991{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A940BF730F9FFCFBB91AD18588ACE2E6,SHA256=74198A189C142FC82D71EBEEBD374AE6DC0F79D790FC54886A02C4417C5AFB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:29.648{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1915E7E87F4C177D571DA98CAFD8EA5B,SHA256=5410265CA8C17F68E705A81E4010B691E8AD3542A7EF3A6F339732029552CCBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:27.213{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51609-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000554018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:29.148{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC97C69875DB3D047A72DC8618EBED7F,SHA256=BF4498ED1A3211384C2E3B56D47D89DB737A22D2BB536ADEF55967CDBE846220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:30.664{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787EF67E1FEC038B755729A796BF1697,SHA256=01C690CE7846FA0DDD2FD948D684A59361BFADAFBE4969EDC90C9E58116C66E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:29.396{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65147-false10.0.1.12-8000- 23542300x8000000000000000652391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:30.173{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C667AB9A2411A1D1AE3BA28B02CABC4,SHA256=BBC0AD7B2135BEF0B2A7319DF9C52ADC2F73FB0E7DD61686EA2E6CF60C44EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:30.172{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DED80BC0BB5B66F71C37A69586C1C920,SHA256=CF4FAA2DB6C2EF66C009B065F4B5A5AA4310B87014D105B7FCB23717AD711EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:28.806{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:30.195{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07B8F96F9A5A31FAC40EE84501289FF5,SHA256=85E9BA241F40AEF3AAAF695695E8C92305B191A0E1C3BEE119B2FFDE85AC1DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:31.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70972A7FCB07A1FE7F2AFA148EC448F7,SHA256=EF07A48A059510FDB4E989467B83341F7A84F4C60C38F4CA1FFACBBF4A5B7230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:31.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3EF3DD7E40125C982664E1CD62C8B3,SHA256=7295E772B4B6E17C9983C8316D634B49C93CA9F32FE8B66BA9A2ED4A59E95C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:32.711{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A7D4CDA3AE9BED20159ADEFD356D95,SHA256=0925DF811180CD5F939D041230B144A166766156F9749561017703BC95A31036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:32.942{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324648C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000652394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:32.090{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598DCEA0F14A64FC968CAB8D41719821,SHA256=81A49B55677DD16611A8DFFA99D12A4582A255FB6656025C506D119113EEDCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:33.726{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2CF49474041721D20D4FB60143A016,SHA256=0D3FD89E388F7B506C3D809AA7C560075A02210404CC3AC2D7E9792C0F2802AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.847{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C667AB9A2411A1D1AE3BA28B02CABC4,SHA256=BBC0AD7B2135BEF0B2A7319DF9C52ADC2F73FB0E7DD61686EA2E6CF60C44EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.094{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0155E0BD8666C8A4CE964CABB5BC8B33,SHA256=1E381F9ACFC2EEF2D0E493AED7A3AF66BB248B17426B9D9585381CCED084DACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:34.773{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A3606AACEE2E3264EE044C5AC2B3B4,SHA256=16FCCD332C52ADE211E4F01BEAEBD35A26435F30688DBBEE98EDFE21F93B1793,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.182{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65150-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000652403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.182{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65150-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000652402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.081{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local65149-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000652401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.081{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65149-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000652400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.074{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65148-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:33.074{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65148-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 23542300x8000000000000000652398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:34.132{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862A61F04896B7683AEDDC458DFF6757,SHA256=62DE9B5CE4CE483EF3C4782BA7030A5FBC70D1F82E9C32E2AF1DE2BA999B20BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.820{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20AB75CD4345A2340471DE250249708,SHA256=1A7F7D5E5C394A5EABBD957BAFCB91A142E697E33127065DE8830CC972D1E652,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:34.421{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65151-false10.0.1.12-8000- 23542300x8000000000000000652406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:35.190{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=460092D16FE25C42A28611BC08784E74,SHA256=4EACDA50EF5FB6FDBDC4DFE83E44B9D5E98080434F4BAA5AD7E27E1463CF3060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:35.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420307CD3BC96A01FFBDF2F029D84F50,SHA256=3699DD4F72949600F496F8A8F4950956E3370C33D7EB47A76DEEFB8D23A6FB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.836{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4651656A56E362718940CD4D47B6A9E2,SHA256=3A5DC72EBA1466346D8AD7185C121543DAC7695C8ED588220634ECB054C6BF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:36.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F09592ECBD1CC3390E82E3B2466930,SHA256=837DEBA492B6AFCD44151C7E0F5AE5D5AECD85C1733CFCDCE31968EA803D1E71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.789{E1BD9FC2-6980-609D-5C4E-00000000BB01}28601876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.664{E1BD9FC2-6980-609D-5C4E-00000000BB01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:34.744{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBDD5F4983ADE0E008D5B3262D6A023E,SHA256=E137ACE20AB976E4440BB3DFAF2709FE0BDD1EB8A6C339581AD0B388CCB8EAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2DF58F39A2B95D4E8CB04DAC363928,SHA256=6CE06CE4C21CE196A3C7F3A5EA245C6F3144F3A873CD01DFAA97B529F0722C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:36.117{E1BD9FC2-697F-609D-5B4E-00000000BB01}30082648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.992{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:35.993{E1BD9FC2-697F-609D-5B4E-00000000BB01}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000554088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.961{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.962{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.836{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA1F1EA334551823267F2B65FB09712,SHA256=8EEF44100D1013C223AE50B71666754CCF3A506E6FE8394F4DBECE55FEDB6A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:37.158{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E2D8D7424B85EA26E1D1565B3E9720,SHA256=854B6BB7BC60992E76DD55D7C31F161A39230763F88E6BA57685868BF4085C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.664{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBDD5F4983ADE0E008D5B3262D6A023E,SHA256=E137ACE20AB976E4440BB3DFAF2709FE0BDD1EB8A6C339581AD0B388CCB8EAB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:37.336{E1BD9FC2-6981-609D-5D4E-00000000BB01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:38.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716F2F1A6CC63D29EDB69C599B5E18DF,SHA256=DE7D76DC159D6576A275644EAE1DA22C8D768B0DD1F43CBFC94158702CE31E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:38.886{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1610BE7271724510A20EFAA7662ADF0B,SHA256=7F3D921601A01631A952FE84B7B1F5AEF41E0C2BBB8169055CC1A52D060FF419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:38.170{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DA6B0D987A463E70E558AD796FDFA3,SHA256=34908F70BCF6F41AC86B9E7741B65C6E15EA0916144D3C1321E9DA6F97A329B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:38.101{E1BD9FC2-6981-609D-5E4E-00000000BB01}3560940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:39.883{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654062963692073FD7FED5AB4412BAB4,SHA256=B2EC5C2A30053AF76B61F398DE329F8471414C4E62FA22B0DC56065E04B7D463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:39.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485A5EDE2AF2976C251CC8163A6BDB8D,SHA256=30079C4AE407FEAE1ED7736370ABAA8FAF5367A25E94D5BA770B9FCAE6E7AA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:39.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F75F6048663AE15236BAF2C7267CAA75,SHA256=94816FF970FC270F63076DA4C68230AD2002E112615A7FF3E142D119BA1CB2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:40.898{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57868F0B30DC26E4036AD82C82E4EAA,SHA256=75C2B9E556439B4DA361B869B4D53BD2868632BB17E7CBD7222D8E7AE6E831A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:40.212{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AB9CEF078226C8B0E590C05D21E255,SHA256=F6CF022BDD988EFC50E7E06E7FCC5BD2B7905A227B5520E3C6C7A608E190B9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:41.945{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27116D9C2BE69FB767C47C7BCD45E8E,SHA256=94723CA7A613C8F8FC3A234BB0A85E3EB0D7DACBA3824D038F8E4538FB96BD22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:40.343{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65152-false10.0.1.12-8000- 23542300x8000000000000000652415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:41.220{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F79C67D6264A434E48DFBD39F45946,SHA256=1771A81FB952B9D0A95189658E4CF02C973B6B53DF51336C3DC0061FDBE0BE2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:39.822{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:41.195{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CD67E70796A930C0540F301CF306E2,SHA256=2867710BF1D8F8A0431731F59061E99D61F9B2FAAB793660580D9112A54DBF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:41.106{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E9A8DF5D8787277CDF0EA0C7FB9A088,SHA256=71A5F0C04DCD9A5C2898BA80178960ED2C22C43176C47C6B21531BBA84929EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:42.960{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D01D5C1F5001E55918FC0527B8D783D,SHA256=E20ACC23D8878E7395551D8B4986A6DB8D2D1F8428D259ED4D4F3E789C5D3E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:42.235{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7806892BD64C0265D496FFC5465CB190,SHA256=E91EE96898DFCFA7F66380DE0B32BE5521914C74DEDD87E6204414C85B51DD85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:43.864{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E5C02AB4E2B297862782D4C5EA4DFA2,SHA256=D3A3CD784598BFA3968E4DECEE31B771E0E3276CC8151E6F95C8B89527148C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:43.243{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB3FE21AA459B740B9DF572E761BBDD,SHA256=F3D47A2E4423A4CD26B2EC45F3C90B81CBD8DD927C9F178FE001CED2A50AEDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:44.039{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1C2C2262EB89A02A1E798AC858F38A,SHA256=74EA242879E695B3D8CB48E2097AB1BCBC52B011291502337E674DB9A4D77630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:44.260{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B582E79C5632FC4EB3AD5ED64EF82AFE,SHA256=85ABD274211145772CDD0EB713262EF02E62F32B767A14BEB29FF0E1F6EC477E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:45.274{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C001FA22AB07E300A084DEF1246A1C8A,SHA256=066F22BC5EEA9FB2D03B74DAB6C9116BCB965AF2B0B7D46097D1C251018E8982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:45.054{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C2D1848CBE40B2331C37C02BBBAB9F,SHA256=0FB60B17035267198D54B1B6063FC6C26F55031EA70F2903F67EB2492BBB9D81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.935{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.933{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.932{7B03F3B2-698A-609D-4953-00000000BA01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:45.376{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65153-false10.0.1.12-8000- 23542300x8000000000000000652431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADEE2FB85482685916E7D5E310B7635,SHA256=7AB83D0B4F5BEA875CEBFD98E24B603828EA485E4070A0A1E93755ACBD17DE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:46.054{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923C57AC80BCF771725B3754EC09D2EC,SHA256=A3310E2886003E710CA3157F53728820E36DE12160CF4F2F1DF4E0394AE373EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.275{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.273{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.273{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.273{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.272{7B03F3B2-698A-609D-4853-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:46.160{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=620E1A9CC80C94F2249EC4B12E8E21B8,SHA256=BC0F49BADA7F8391A8934887DA5CE512A51E7E62E0C8FF4690123933CF8BBEB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.748{7B03F3B2-698B-609D-4A53-00000000BA01}73526904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.577{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.575{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.575{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.575{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.574{7B03F3B2-698B-609D-4A53-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.308{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329A82B972EEA5D0D9B1E77849CC4B5F,SHA256=F136BF49B999376DDA5147FCAFC48A15F96A600313A188C7EB28AE02C00DB7E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:45.697{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:47.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4358ADE7B5A9A438C0749F875E1705C7,SHA256=C92FC12103E5FC090FD5B2EB6552E242DBB3E436D6BE548D328370089316D595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:47.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8829370F18FF143C1052910D3E5C993A,SHA256=D579799575044912EA574CF490B3C091FF97C4AE91CBDE39035E48859A91F114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:47.117{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79952A3FF5DDE8338659F590DF4C1982,SHA256=233D08ADE039CF785802308DC8F03E59393805002DF9DEB5F46230287C5578AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:47.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0124523D8555A5B4FB9FB51DE9692004,SHA256=B52240938AE069CAE1EF089DE2D82686F840747C4DA114ED2D8E1810144F158E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.595{7B03F3B2-698C-609D-4B53-00000000BA01}81285980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.583{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26D003B132492E615E5C7FF4084CF831,SHA256=8DA3EA2E47D097DF289C101C0D140E933DA8075320E00D7D16A70CE87FD46B8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.450{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.446{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.446{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.446{7B03F3B2-698C-609D-4B53-00000000BA01}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:48.324{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71E74556965C94B6A9AA25008F26B9B,SHA256=D9AD5C24F43182C867AD1136E81FA20C459EE000DD325B4DDEDDAD1B976650BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:48.132{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BD722B6BB64C9BE1D6A25E57790278,SHA256=451E83ADB689140C63CD6C1A4CB76668823BAF8F8DA30123353E13F8B8CA36DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:49.179{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C69C3CE00D1B4BDFA757ECEDFA37FC,SHA256=C8464F95F7EAE1CCF7E59C7E70EABEFC8759253E0739F7A4347D41DB00593B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64CC55A27F3A579EC21BBF193AFAF544,SHA256=AF6118231ACCC4971BFFE7612B552DAC41F3A777D05DBC6CEB218AFBC71F1C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.332{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFC07CCB01F899567D8F1023757E16E,SHA256=DAA75159C37E0E3606DA364A4DAF3C26D8466BA536DE2A63E7C89A663739C254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.257{7B03F3B2-698D-609D-4C53-00000000BA01}68481916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.110{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.109{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:49.108{7B03F3B2-698D-609D-4C53-00000000BA01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:50.344{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF080D249596FFD7CF67B05C5E0448B,SHA256=52C0909414B62EAB4667FECD2C0F8621772CDEEF15719676A86DB3ABB95C48E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:50.210{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4197F321041467AFE94FB28CC055E80A,SHA256=F621C535F20AA764F4DBA075993A573F2713DBF784FCA873311BCAC7937AF356,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:50.497{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65154-false10.0.1.12-8000- 10341000x8000000000000000652485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.456{7B03F3B2-698F-609D-4D53-00000000BA01}67124812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.372{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074070B20D2DFA4572DA58F6D485F43F,SHA256=D7FA086315398F1BE9783B72D730BAB5956F0F7C8DA3CA7B7EF23D068FBC0306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:51.211{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AC80AD403D9BC3224E920032F32041,SHA256=66C1517DABCAEC068D3D32CA254D5ED6944736940AB84CA0601B7D4BEA60745C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.269{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04B77D0D5A13E97EAAD3B4642029376D,SHA256=58C365AFEB98A192D9F88434FD0053378FF7207BDEC0A7671E21D70807F86A5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.227{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.222{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.222{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.222{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:51.219{7B03F3B2-698F-609D-4D53-00000000BA01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.908{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3FEF1D4DB4646222CDA65CC9CFFD9A97,SHA256=3385041E70F75AC3514C9331C6B01DD1B90437B4676AA722AD64599D9FFC558E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.476{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B2BE001062255EEDF4285A6F0829AB,SHA256=5736BBE33BAB6C052EBDA08B614F6780C59D13B900C10305276A19E4CB3766C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.395{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94A25C66B10E20608DA6DE0CD17506B,SHA256=9EECE997FE06E1785E491130468CA5F3C90F659B10EF1AE7453130531F9ED6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:52.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683FFE028F6478D06AD9EF83B1C97DB8,SHA256=A427C35A538436E3F07861AA7CD7795EFFC2A598ABD9F2E4244ECD9444AFFD23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.011{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.009{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.008{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.008{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:52.008{7B03F3B2-6990-609D-4E53-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:53.400{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E861559C5FA7ACC6A77A07BA929911,SHA256=C2AD537408FB3E0C1227E3F4CA24492BEF3655C21028ABA2CA4E173F2F20571B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:51.728{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51614-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:53.226{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C869D6E9001367D63CFCA61DFFA7EE,SHA256=F97CAC06B58EC223CEE21F66099A2C40DA1172CBDCDDEF727CD976A5D202808D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:53.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D483BAFA4F3E1B1BCFA4A93C8C486217,SHA256=CCA883A411BF54E03E33134E4FF2EE38D6637B894BE24FCE4B9EE6B687691C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:53.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4358ADE7B5A9A438C0749F875E1705C7,SHA256=C92FC12103E5FC090FD5B2EB6552E242DBB3E436D6BE548D328370089316D595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:54.406{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD90E4B639C14EA6B6A15FAD10DF950,SHA256=DB4A1A4B872B1D584C6CC9AAE8159ECC1258AFEB0F91559F9FB8512A671FE758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:54.242{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFA1B0CB589E5192F71FC1DEDC408D4,SHA256=E7F82390A86D1093D91C4154B29A9C25C48284C2F127C765EBF42A1416217C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:55.443{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3748A3AE6DD9570CE3829F46B50E6E,SHA256=B43FEF842FA5C5D28C2ED9904437455C0F7659FF3B6F30EC96C799BE6AB5C1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:55.257{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B072959784F934416989EAF178B0D9B,SHA256=3AB97004D730B2C2CDABDA48D45E814A84DAFD50A433CF2B0427DAD84D8C1E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:56.457{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F45EF3258580FF364F9BCF9C33F461,SHA256=D6CF7924C054D2F35196949CACA2E743052CF40FF13F120B3025AAF0E1AA6075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:56.273{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E624B85817172301EAAC3EC62A5598,SHA256=BDAD76236BB665B522E88C2FE4A31C26420EE35335B23A648930BCB39E19546F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:56.325{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65155-false10.0.1.12-8000- 23542300x8000000000000000652503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:57.490{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4D676DCF2BEBFEC55698309DF9ACBB,SHA256=0DACE0D0EA6048824332B671298F8A7416776A1D8F95DA023A6910B19292D37A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:01:57.830{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74822-0x10c7668b) 23542300x8000000000000000554117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:57.290{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B092A7353A52D034A2E486D533D6D52,SHA256=1A0470531E0E841464575477A39EBFD919D8966E0977A5AE2C5832E075D588FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:57.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=810394CA6AF0FD6BFEB9C55B8963C1E2,SHA256=4E3A91985E70DFA3A95BCC23A03BAD7814AB28C5F2ECD7FE204CFC9E4E97FE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:58.875{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0925D2D1D984F465F8FBB43171591240,SHA256=CEBEA011F3721B3C7C6A3FDE5CD8F26D8DCDBA8EE227BBEE4DFC5ABF423A451D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:58.502{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BBA4B04904029844A56959B441583D,SHA256=E01711C74E328C92DBCE4C1FC07ED66EDB30B1852D081E6CFDAF8534B9EF1105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:58.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB711C624682A3E648605EDBD242503,SHA256=F4A308433C9B1F65CB2033E7161BB8694B703BBEE05A9ADD60FBA4F6DC1DEA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:58.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C152FC4683E96C95E01991917EBD81F,SHA256=0A60645163292B6D15DDC3809D64CE4294B7EB2F111DEDE0A694FF98CE77C0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:58.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D483BAFA4F3E1B1BCFA4A93C8C486217,SHA256=CCA883A411BF54E03E33134E4FF2EE38D6637B894BE24FCE4B9EE6B687691C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:01:59.517{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAA4C500D5B1B230DBFE1221AE0C6F2,SHA256=A6785B93B32D1D887F973F20B41FD76623D932ADB6B491511CE297DB95A635EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:59.349{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACD4CA70AC1B4551648D229853A3196,SHA256=1BD5E0511B591203FF12AFB45458D342B646DAF510831525837949A2A8FD775A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:01:56.729{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000652508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:00.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE242991C61B604493C7620A211D9004,SHA256=EBC18F47FE1444C519F32B02A4E42444672C9FE329CC13FA8D75254CD1359C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:00.364{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C76B7B8758243590E880D6AA937A809,SHA256=B28AE0459BCDE9BC61405A26ECFB913157CA48AB6B4E2E765FA3901EDCC4B32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:01.411{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D33BAC63B93C2E3568F4E1232A8C16C,SHA256=AA2FDF8E1ED9996286FC06FF94F8A0B5AC4D02D7D400782AE5EC5C484C872875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:01.538{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E0491749D8198DA236464C07BF17B5,SHA256=E858E008521B912A4D5E2699506BF86A06FA19DA814C4ADA0F4CACFD91C8B0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:02.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66EC8DB315FE56A736FD013C5BE668B,SHA256=B9B946B1F163D0B181125A72C1BFEAC2A8B0D03C64C2AAAAE4851BCE2A87301D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:01.358{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65156-false10.0.1.12-8000- 23542300x8000000000000000652511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:02.558{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFB5F00F77809D0CC676AD6B44165AA,SHA256=CF9151AF61EB937161F95131C5ACD782992E7534206F15AC8F8CE65A4F5D5937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:02.139{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19DCF946F1FFA16CCC745989CC6B7A04,SHA256=950361F6860517C115396C55EC9534B7716C25AC7BFD48741C5C14F9E00DBF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:03.870{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26EA5A5AC17239448FC31CA1B4D27F49,SHA256=A4A25B214E9FF72EE2772565D5D42787583E7A2F649D510EDB7309C0DF179E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:03.579{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE1F9F1D826FF69244F7A7EBE0BFC08,SHA256=DC7AEF7A9558001A7D761AC89180B26593E85A7E51AE94FF19977785937ADE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:03.556{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44502D743CFE5D79B5D2FC5D1AA7935B,SHA256=C0120F55BBD0032FF2C9A40259B2A6FB8A557C83B07FDB6D0061EA377F1E344D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:04.572{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C94152242797CF100776894D909A811,SHA256=C3552F0A4ED3253C980DA40FFC0108BE6E2606E9EBFCD68F61CDC6FB1043F7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:04.594{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75CD630EE80B948963E0FFC911B0B72,SHA256=BAA76E35CB092B7473F20EC1D38681F2FC18410DE23411C46BFD2521BC04FB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:04.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0AE686963168314B5F7F947ADED3EF,SHA256=606D45179CCBFD3818FBDBB32A56BC0C8B1F407BDA9C621995B95C77346A242C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:04.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB711C624682A3E648605EDBD242503,SHA256=F4A308433C9B1F65CB2033E7161BB8694B703BBEE05A9ADD60FBA4F6DC1DEA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:05.588{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2EF8C214371D69BEBD750058E3A030,SHA256=EF548FABD459589A03D3BE43E4E01EEB07F4BEC921459C105CF3D78554DFEFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:05.603{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2986616C75688004069255288192BF82,SHA256=B8F1E827E808EC19534F5794D2CBE284A90F55D1E7327E6D7B35142970B989DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:02.713{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:06.650{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EBC3A42934781AD883755513B99D04,SHA256=A0A0109BF6D90C5B784DFC23D0C0235EEC571D9C4E277C9C21C9A3E74CD001FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:06.608{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749C815C0A2E06ADAFF9B85C351A8C92,SHA256=8F8FBD5BC610CC6C61A0E6B4419E902F14E8AB2315C1435299C0D689C6F736C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:07.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F60CB2073D8A2863C4137F484CACCE4,SHA256=1D98A6B327906A6D2DA360FEB8CE26C76194DBFE084CE3B8E5EE5AEC759CA999,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:06.367{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65157-false10.0.1.12-8000- 23542300x8000000000000000652519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:07.625{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC411934E29547324FE94A6F2BD2D65,SHA256=EF175428FEE4A3705B374696C4D1A497D539ADE2C8F656A20B5D43F5C9F73292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:07.174{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A200CA1D0B394E7624D99EE337485E,SHA256=4DF3325C943D8771473CC97679A4D4FA69572C4385A9C39E6782B01A287B06A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:08.645{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A0BCCB8F2EE3A964A9326ABCF4DDBF,SHA256=80DF0DC25C361BB82F56A08CC0AA5A6A1BBE1D34D124AADE2CA0B053D8A67F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:08.744{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2C7A73D29072C26E194AC9D124FD970A,SHA256=18C6934277B94592AB42F258D23C596E2CB9705C89A5A0B5AB84632BBB4FBC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:08.697{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC096520E8A1906AD608339C7D382871,SHA256=3FC5293EB3A1E0D9B5AD0F6B247D643A1E7382C2E9D373B43417DB4FDF9ECD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:09.713{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600A259D4C9FDD93B7F8644FB3E8264B,SHA256=B062A9B26720F08B5F9BE13610572EEF12C6F8FBDFD09492D231F7EF1A0C95FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:09.649{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811582E818BF2110DFCD2E1715A7FF2,SHA256=68A1FDE3BC8E8005B1DC266A53AA8FA8B3BD26A7EB4058D5DFA62B51537563E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C1FD09B90A18683B07263843691EC7,SHA256=7163B3C03036612CF33FDFE13206A885B99DEB222115FB88094D07C43A9716DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:09.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0AE686963168314B5F7F947ADED3EF,SHA256=606D45179CCBFD3818FBDBB32A56BC0C8B1F407BDA9C621995B95C77346A242C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:10.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD5E54ECB5CA2B1D22812B46DC29561,SHA256=95A8614F726ABDDCF52B7F9774FEEDBE6D5400D36CFB2E9261561E2CC8B9BECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:10.675{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66AE51F2E420B3826760A56B94359D9,SHA256=FD6BA78BAF0FA856251DEE48B15D13941009A1DB929A8554A516942BDCBF70F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:07.854{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:11.775{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BB56D68D657D52DD68E502E2F7B75C,SHA256=A8F31E97EAE1E96C19A4C700862AC696AC536403381589C84DF303D27B70F646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:11.679{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3535AB29F8966A9AED3ADE1AA02E377,SHA256=4D4AF8EA1F2F8B422CAF43EE5AF66AA4B64B181611CA949691F1F92553596B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:12.791{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89F48679D561A8D84E7B4A78AA710E4,SHA256=1F6BD1DF353864252CC50C54FFCE127875CF4EDDA3E72CDFAFD34564EABF8456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:12.703{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A461C8DCB8DD10D07D980921726D195,SHA256=409423D276C4EBC0157326BBACC4A1E6C3861AB3671C987A7C0008062165056B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:13.822{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44507F6268BA83116BF5CF21830D3571,SHA256=D0ACEBE2BC697AD05C459204FF802EAA7ED5FA14077ED57E4F67CDF3C3B96786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:13.716{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190CACA44A2197068086B7228B01DF99,SHA256=6FA34D04E3D2B2B408F4756B93C1B2416D13478C05344D982C08E732D8C9CEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:13.125{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3122407173B1CE24F6B4E3A12963C4B,SHA256=E81C2194D8F8338EC24BA5B68BB2C4EEE0D796D905B09BDD51194AF085287169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:13.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=437CE1FCEFFE399987E1AFB064AE9451,SHA256=9E4A4E66C2C9E18020D99CF168E1CDBEE4DAB797DF90A35869E5EC8894AB97F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:14.885{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAA9C5691D4C69DB7E2F32FE85B7B03,SHA256=F63FF759D297365067E87675D857AEFFB7021F3A545ED6CC0C4A80EA207F822D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:14.728{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B85F1D8BEDCBC9AB2AE64DD5447831D,SHA256=FC0005B5F28223844178B69BAA9D178B23793E4D1C78574D73BF40DFB7F693E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:15.900{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCF9D71E063E7DEF32DF571E0BFA5A4,SHA256=1D49CDA6E3B147742B3CE7BB91FB1ACEBFA39B4DC62F1C138575CCBC588C3160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:15.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1338336413457C399F55A6595E5504,SHA256=0C43DF51E023051B85037587D82906A887B0EBB239449BE6C5F28C99868EF41A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:13.713{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51618-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:15.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7CB7B3565F41AEB0F0D2514256AB11C,SHA256=60B691BC91BC265AE1900F5313FA71334C09E9DC9BB11C32D472FE5D49F6E2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:15.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C1FD09B90A18683B07263843691EC7,SHA256=7163B3C03036612CF33FDFE13206A885B99DEB222115FB88094D07C43A9716DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:12.356{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65158-false10.0.1.12-8000- 23542300x8000000000000000554150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:16.916{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC42B2AE3397F830BBDC87D4ABAD7341,SHA256=419E0ED9821D377489D4F7A680ED809774A88E7BEB393C50DF5BC6AA1662AC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:16.745{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC663AEF5F920F012FFEBFF8930A467B,SHA256=82B30FF0C0897B080950770956CE6499303CCA0A2FBB24F12B813BF64BB354BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:17.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA86C9D2644BB7590A1188AAF07257E,SHA256=C1C6A6FBCEC107E67F8316B7D4CCE9BE8B4551CC3952343A9C4801C1954B5673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:17.994{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0599D943C41A384628FC02996E4450E,SHA256=8070789C42A8D6CE9807B2EA8E734CE2A756E3D39A4E2600D2044B33C05EEA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:18.150{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=463D129446C4D7E2AB13E17AEC8704F2,SHA256=976508DDF887FD7AF6829142716C903A128D337CF347120AC68C2C511007BA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:18.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3122407173B1CE24F6B4E3A12963C4B,SHA256=E81C2194D8F8338EC24BA5B68BB2C4EEE0D796D905B09BDD51194AF085287169,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:17.380{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65159-false10.0.1.12-8000- 23542300x8000000000000000652536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:19.049{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB28D2420FFB15F22266B5A5FDA33FE,SHA256=EFAA153AFEA7B2E8C6CDE3271C3E5A2AFB13579F299034977CFFAAB6E3F81E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:19.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADC17BCA429FEBCEBB6D409F7A247F0,SHA256=50796DB6037AD87BE5AB66AE9FF8CEB8DB9878FCFF4891B04865F1007044AD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:20.072{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106890C8F28F30903D50046F6C514CF3,SHA256=27941C3B531E28F3547182F1E82E89B428E685DEA6A694A077839503994DB30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:20.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A18B50EABBB8FBC106FED1C0553BF91,SHA256=269BFF45943B3DC7DBCD7C76D8115FDD4F7E26608E8CFE35EDFA6163A9BF6FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:19.713{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51619-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:21.088{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F2F6C04A6556D7D3D1299D3C141B7F,SHA256=447766303243C87F296141FA42F2167C1CEF8B780F1C209AF61AAF8561DAF516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:21.088{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120F8AE01DE8325FE74DF752D17BDE13,SHA256=62DA00704F0AE4D4AF58F618AE077AA6ABF682100830173FA75BD9AAF3D85901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:21.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0CF9587ABB195B7A9561255CEAFF07,SHA256=8125279B601F4BC2A01FF9973ACBC98C890A1BA03C720E2506F3788685FEF138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:21.072{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7CB7B3565F41AEB0F0D2514256AB11C,SHA256=60B691BC91BC265AE1900F5313FA71334C09E9DC9BB11C32D472FE5D49F6E2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:22.119{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF71DE94540539195296387C33C7C45,SHA256=0EFFA1FB6D8B73F42B07F43BFC5FB26012D07404517498CED6D8ADB22FF36488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:22.942{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:22.105{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87F764DC726090EB3252DA6C2E120B8,SHA256=BCD3D5C26DC4AEE4A64C956FE3EA0FB7CC65A47060404CF3456FEECB7516E49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.251{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7531A67015DD798ABC280C9E4602E0B,SHA256=4B7776BDDF11AEF8FE14E11CB7AC840078E387A9286A8FDBEB389E990331CB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.249{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=463D129446C4D7E2AB13E17AEC8704F2,SHA256=976508DDF887FD7AF6829142716C903A128D337CF347120AC68C2C511007BA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.115{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A032350433167186DC72A625CBBAEBE,SHA256=1D28303CB32EC1FF4B6BD7975DCDC708DDA14574E273027D58A13034E2F15C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:23.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462B022FB3076C828DDE6B3DC85465F1,SHA256=7B866D7FEC5384A1050AC24985CBBEBAF97F76425CAEA83D54DF1CF625993778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:24.369{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7531A67015DD798ABC280C9E4602E0B,SHA256=4B7776BDDF11AEF8FE14E11CB7AC840078E387A9286A8FDBEB389E990331CB66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.178{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65161-false10.0.1.12-8089- 354300x8000000000000000652546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:22.485{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65160-false10.0.1.12-8000- 23542300x8000000000000000652545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:24.136{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AD9A494878868E79D73BEBE2AA9D47,SHA256=4FE28B8483B4B9142655120A5607161B566DD59EF793E94D91606EF5E3ED169E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:24.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA5CA381E64A2FA3E64080EBB07898F,SHA256=61A2169F62E50E5A4C0E89A57289525C8B7C71CE42B1CD90A930E607AA0A4D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:25.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAC5A5BB62C85A1A0F66FD44425AACD,SHA256=35661A2D9666860FB2CF5CF256FBA4266208E16546DFDD91A6956FA4DBFDDF02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.587{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65162-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:23.587{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65162-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:25.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C645D7D9A1D15D67ED54B846617E89D,SHA256=6E258D0BF119B253A51155B32A3ABE2929314B9DBAC70F051D2803F7B8E59EE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.795{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.796{E1BD9FC2-69B2-609D-5F4E-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:24.780{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51620-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDB6CB3926AEC9936DC845745DB842A,SHA256=57A69B675EB00FF2CC81AAB9D66C5AB7C1B7B90E32C95F0F9A6E7F6D6D7D25E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0CF9587ABB195B7A9561255CEAFF07,SHA256=8125279B601F4BC2A01FF9973ACBC98C890A1BA03C720E2506F3788685FEF138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:26.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2A8C52C80E2942336C4F583D97B099,SHA256=7963CBA7B4A85EB29BE6A88D0404B15EBA16EF6841D14BE80CE0D68A9F072600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:26.196{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C4A62F299297EA0AEE5FDF17BCBE47,SHA256=8FA37126BC005BA339B581CED58BD9D776EF62F7B4FB16A4F68E2FF58EB0AF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.827{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDB6CB3926AEC9936DC845745DB842A,SHA256=57A69B675EB00FF2CC81AAB9D66C5AB7C1B7B90E32C95F0F9A6E7F6D6D7D25E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.608{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.592{E1BD9FC2-69B3-609D-604E-00000000BB01}7202924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.467{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.468{E1BD9FC2-69B3-609D-604E-00000000BB01}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24E9F4D7FED2AC9D354E7FB5C9A688F,SHA256=2F568ADA350BBBA9D4C0126B3C26E128D42637CB9291AF4F35C0EF2692E0C843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:27.202{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596F867DA19FA6ABE1E0BC1417E22BC7,SHA256=C5D6A963E5C6927A6DC05E82982A93CF5011133C0F468BF117129934EA4D57F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:27.233{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51621-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000554209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.498{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8601ADBB0C37ADD21EF350FCFC9BBA7F,SHA256=45884718BCC22AFB8735B590FADEE6C28ADC2EA8649DDCB10A9C3D3A3392EDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:28.216{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35996C00A1566B3F9AD4D154D9242A2,SHA256=B2FADF6ED0E282B3323AD0027978FEB62DABBC1082250B3F5572288F03A36544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.139{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:28.140{E1BD9FC2-69B4-609D-614E-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:29.545{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F90C20C8EAE8BA2601E5CFF9299F64,SHA256=AE1107A71BAEB175046B274132E07FE299F1461DF773121BDA14EE5F28307D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:29.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC87D15A3FCFE5E569B047B9352C0B83,SHA256=7597AE7898C0B2DF3204E2427F8FE5F896F44F7191BCBF98B48F2294C782C8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:29.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7790E7AF4FC211F2F5E3BAD433210D,SHA256=1EB13F430FF727CCB3D6B33A4F32890298CC66ABD1C0673F2D89A9A1059E805B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:29.118{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC5631D9733792A5CE92AB9CB0CCCB0,SHA256=6EB08E0D84DFD82980490A7FF8C4F34593570C9D43C24451F8E473A0E58F5C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:30.545{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985F14D684CBDE74D72525AC28E40233,SHA256=51408DA844CA4CABDBE150586AB9CC54F547C8E1B7518EB61881A3853CD1F2BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:28.345{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65163-false10.0.1.12-8000- 23542300x8000000000000000652557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:30.232{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA61E279D99EC1264978A37E0AF27E33,SHA256=12EF86DBDE4D12E67DC0B1F77C95D6D212DA1F7B2E5EB19F847D22674A43AFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:31.288{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F52ED66E4BF8C9D3DD3F9EE86AC648,SHA256=B1BC5396344852806FB8AF4F313036A6BF28F2D4EABE1478B675860F38B74951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:31.561{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3AC3A33245D529BD44415D290D2F94,SHA256=A045D91D3FD75B709E61BAB17343C49C5BB01893B8507DD2AD61D9DA9B599F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:32.577{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7197075CBA41AD274A56C94BCE4DFB5,SHA256=0860AFAF1BD5845812A2F25314F25DB4412A7BFF571FA39FD1288C17894FADC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:32.294{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661746FD61887A4BDDCB6109A07E078F,SHA256=C85DF00B9E4456FD3ED3D52A4F4159DDE5AEC19AAC30CFD68069F062AC0A2611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:32.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05BA6B6C9E15A8D5766C657144F95D2,SHA256=464282DE2EF20A1C78DC20072EFE954C427BF7A072F2E0480D164D2E01CFF6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:33.592{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804CD894E920A2416CF08B85FE87683,SHA256=0006B1240334C1105B84B37D6C4789A8457632EF431620FA153029AE8BD20BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:33.312{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D69971A826D1B3EE1DA11D7A5D7595,SHA256=431CC4D084645B8D3221F57798FE4B92179D332E15904DE1B64CE149486B1C8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:30.827{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51622-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:34.639{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53D0FF397235B82DAD828472781407D,SHA256=72AC09D0E3918F8291AF944B69528D1FE90F44FAE81A6DDF6EDDADF403F5DB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:33.397{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65164-false10.0.1.12-8000- 23542300x8000000000000000652564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:34.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4673360AEB3892A6EB2FFA08E5A842,SHA256=78E04638F63E34ED3E7DFA742A64AD2BD13BAF9A57D6ABB30FCF09F9940286B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:34.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF162D450774ACCC1B41413FA9F1E8AD,SHA256=EE79D06B2D9790B0996E2D99819B91C7652DBC43BF6AD38B489F21C739C91780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:34.164{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99876973730CF57351D45B941F260F7E,SHA256=3B6AEB457B50B72695EEDDFE68A088E132A28FDF8B39026EC7B44968C362F6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.655{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A995B392C2E60AAD3626AFD40AD5EDD,SHA256=07A71047C51BD82AF4575A581A2E9D71BB5360E749F38EF388D2EDACFDF5AFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:35.335{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C92A5BFA05E345C8692E3DF5FBAD328,SHA256=F3B142293328A7CE43367C78B0C0956779AD65BFAAEC2735D7F5C19D1C0EEE0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.795{E1BD9FC2-69BC-609D-634E-00000000BB01}19923672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.671{E1BD9FC2-69BC-609D-634E-00000000BB01}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CD47A6826E5430063AAC39B9543BA7,SHA256=80A864B55B5DB7FC4200C6AA106B23C2603087C1E73F321D3EF441CAC6D1A395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:36.366{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7388043E3FC28BF155EBA05263745BF,SHA256=80761ACD19240908983D5EABD0D91A7C8F19205BE04569E29FC97EC91C4C147D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.124{E1BD9FC2-69BB-609D-624E-00000000BB01}18723368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:35.999{E1BD9FC2-69BB-609D-624E-00000000BB01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000554278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.813{E1BD9FC2-69BD-609D-654E-00000000BB01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.811{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9809A8261A266A42CCCAE37D175EE4,SHA256=EC6663AC6476B44F420CED94D9AC941EA97C0B9E8CEB475F3D429D5653F51BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:37.373{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A1FD50A070FFFCC028D45C18CDE949,SHA256=CA5A5C396B9A9BCBC6DD1E3E471076BB629FF39C554CCA239B965C22EB183E1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.311{E1BD9FC2-69BD-609D-644E-00000000BB01}37721012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.186{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.188{E1BD9FC2-69BD-609D-644E-00000000BB01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:37.061{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE7DBD9555211A8B224F974991EA3C4,SHA256=85E98709DEBAEDE28AA1C4FA41F3057AB1180E4225CC6EE3A9CF0B18746C8BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:38.827{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB14596E8BDABF8BF56AE95E0B3F1BBE,SHA256=3A313F9EF15A6FAB71794AB7839BF1EEA9E956FB0B1378E6B821FCCF8C1C8EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:38.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF162D450774ACCC1B41413FA9F1E8AD,SHA256=EE79D06B2D9790B0996E2D99819B91C7652DBC43BF6AD38B489F21C739C91780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:38.398{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED476EAA0E52FF92427666B4118278D,SHA256=B8081C2718A45F45298C05987DE7CDB3926C5C784D9075ED8171681C5747709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:38.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA6830EA6A5E759428D1DC43710C7F49,SHA256=30C056DCD59E8F8E20CBBA559EA7FB804EAC62B7C7477A88DAC7DE600541C2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:39.858{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97E351E3B74B0938464171D197616F4,SHA256=3ADF65D3E0003940D405974E3B93B990579B21D5A17A4C5FA158B28D8B7957B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:39.418{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495E13556B0EFC92A3624176BBA2A681,SHA256=8E02607C8E4305AD15719B8742E6C45007D6E33A95AF4BCC5F834ED6CF824217,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:36.874{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51623-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:40.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16D6141BB42D819DB4D228623DA337F,SHA256=470FE6FB9844866E3AC4109301A954A8000B03A6D13EC8DEAEC3C9D66430997D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:40.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5CFB5EFA5D3855B9D6C53692FF2EA2,SHA256=23D838BA0500EB6DD2597FCF40EA8DB790115E5FF26E8B7406431FA34804981F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:40.108{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=963E9B5CF5509E7A1BFEA0508B624759,SHA256=A52A0760214DC4969B34C8645317F7DB0D01817B49BA6DE909AF0B8602E2BD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:41.920{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628DDAEAE8D15A659C56CC09731ED207,SHA256=405287D854314BDBB197BB1CABB7478D6C79C1827DEBB7367806F27998E5FA58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:39.330{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65165-false10.0.1.12-8000- 23542300x8000000000000000652574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:41.431{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056C3F7749F239F0F549BFC3357EFC7C,SHA256=0A8F46A32276299A4A68C1E050D28EB794DF072510EF14650EE3AB6EEA403189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:42.939{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5025BD820D64FD440335A3B596CEC06E,SHA256=D622283D54D6EBA8B359FD36E5AF700F2CD81F695B8EDCA4349E6DCDC188937F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:42.458{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06CDE6DEE1B9F82D7244C495839FC0D,SHA256=2AA610517450C22AB5F0079DB08ECA0E83497652ABF72375E1C1CD6EBFCA3E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:43.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B59F985D9CA59F712BDD6C80D8BF46,SHA256=6DBEFEF9E9FE7206201D16BA2625E1D480298E5E7568C2795C305F1C19D80067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:43.462{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4193CB6270BD5DC30E66289CB26146,SHA256=88F5904460791C9D9C50392BF63A1406F1AB8210CAA617A23C822ACA8D9C49EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:44.510{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa25a9c5.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:44.477{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA2E8D0E4621973E752D421617EA472,SHA256=D6EAC4AE793C3A719D0B0C5F5B0A759695D27823CE556AAD78AF559C92538D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:44.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8C0F5A12679691D43287903BA110D3,SHA256=1640DF372EBD02B9284ABC2F65346668C156D743B161BBEB0FF7CCCEC080B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:44.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03F4F08BC7DCE797A422A74D16C0C234,SHA256=A933A74AC0072EF45BB9EB6E1D1EDE998BDC5A698203FF7C9ABAC2A49B04DD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:44.017{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5CCF6E31FFFEC84916FFC9D22D5584,SHA256=D2489D4581A8AE1D802274D60C044B3CA866D876475F9A7CF521BA47EC1C13B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:44.390{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65166-false10.0.1.12-8000- 23542300x8000000000000000652582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:45.488{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA20D5F0E124D4F0A9E23BFFD0D0528C,SHA256=3C0E5AB32C129918FC8D9F896A7443D53412B6B5777CB42306F27536A83C3526,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:42.752{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51624-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:45.033{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDD4F3F8E681B3F0624A4E609BCD0ED,SHA256=2DA85C9D4A42FBA9ABD34736BA087E27BCDDF367F039A6EED886D57A22C88DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:45.180{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1335089DC7B617CCD231B232E94914,SHA256=0D4D2E5B27EC3C20A92A2FDB0E4F31251DDEACE099B3EA562604EB87658F644F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.961{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.959{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.958{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.958{7B03F3B2-69C6-609D-5053-00000000BA01}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.508{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEE2E44DC905459BBDFF5FF789AB9F6,SHA256=DDA82A9F2CE2D36D959B177723D2B4BC54229C7B8D801007F681A597B0807BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:46.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39E60FFC7AEC5E0C467ED0CB2AE5DAD,SHA256=0F9A4E3C842B056ED0B53EE2F091B32DE922665981FEC5F8F97155710E2CC34D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.280{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.278{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.278{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:46.277{7B03F3B2-69C6-609D-4F53-00000000BA01}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.566{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.564{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.563{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.563{7B03F3B2-69C7-609D-5153-00000000BA01}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8908C1C774BE99511F4E7340663451B2,SHA256=DDF9FAA07528E28CF2539D77885CC741282BB061439997DB8A1CF42C4C8FEBF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:02:47.814{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74822-0x2e925302) 23542300x8000000000000000554292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5905B327A7A52C105EC1B74D0887F9B,SHA256=08159654570FCF05DC3BB60C4071A147D674B5D04A1B69F8CA4257429E7C5498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.286{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D026A128704B82155F844E47E1079153,SHA256=6FB0C8C7126A6B87035BB7C475F4F4EDAFE920FBBC8A04F0CBD1E77BBBEEEAC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:47.163{7B03F3B2-69C6-609D-5053-00000000BA01}69724988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.667{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7CE32115799BA68247E0049920D8DB,SHA256=5B1278B8DB670756BB2A3BA903CC79C68DF753D6458098281672F27428E05A50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.632{7B03F3B2-69C8-609D-5253-00000000BA01}59727840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.553{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9643A63DF135C8F12F20DAB57E099FD8,SHA256=4E76DF7EDC5DABD9EF89C1D1EA887AEEFA741205B9385BCEE7C2564C54B11FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:48.877{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8C0F5A12679691D43287903BA110D3,SHA256=1640DF372EBD02B9284ABC2F65346668C156D743B161BBEB0FF7CCCEC080B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:48.158{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2496C805EF77FAB53D99B035795D2,SHA256=CD67315E4BF7CE36BB3604C6612749C37F154CE04587C43667BF2F53C0E5E6D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.449{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.447{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.446{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.446{7B03F3B2-69C8-609D-5253-00000000BA01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:48.042{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-18.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 23542300x8000000000000000652632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.568{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBEDBA239E4D898A3E8EFE1E6D82A9A,SHA256=8A28475BE590D6ACDCBCA3797B4FE68A6AF86D3682C92AD19ECDFDBFCEC5571C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.439{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-681.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x8000000000000000554297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.439{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-681.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x8000000000000000554296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:49.174{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D7CA74A1C0434A6B3CBA5FC0C15B33,SHA256=74CE77A5A2A7DCA9680A946A22662D8B1F23E808F69522F574005AB178BE0FF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.264{7B03F3B2-69C9-609D-5353-00000000BA01}68723212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.116{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.113{7B03F3B2-69C9-609D-5353-00000000BA01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:50.587{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31680254CA4070676606AB28DC2BC095,SHA256=65056114A3A10624791C268399C4B0C094F49B3E63E8D3B6E490703B93642D59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:47.846{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51625-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:50.189{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B2A3C588E6010D8C6BB07E05721B40,SHA256=ADB2F3CD096B92CFDCF9E8A11AE94CA640643AE19628032786AA1BCBCBCD0867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:50.121{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28ADFB7977A710FF1E944F928279704D,SHA256=7FAD760396C0821F91B6208F444C863D4B72729BFD675B57B2BB1462306B171B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:49.434{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65167-false10.0.1.12-8000- 23542300x8000000000000000652645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.598{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EADDE5E39ABF12C45F892FCAB1E339,SHA256=1144295D0FA7E00E577D057DF4B3F2C9B4737FDEA56679E56180142E29329DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:51.189{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96A1E75DA264A0532DB8CB2CF0E8414,SHA256=228C53E5A56995039F5BE2CB5450058564B1C930433019935476C36E40F47681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.418{7B03F3B2-69CB-609D-5453-00000000BA01}36965568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.239{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.237{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:51.236{7B03F3B2-69CB-609D-5453-00000000BA01}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.910{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CCA849F108366447E365620B1BDAB78C,SHA256=D72FB98CD5B49CBEA03157D94938A7D2FCB558D92E85A6260A3206A3BFD52724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.629{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4611B059A53E52F0BBDA4943E0424A,SHA256=25AEA5EE0D19C5F74190233E1900E8BB1FFEBCE4BA3F21A1420786B7FC0671D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:52.205{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF5EE7AA0B2BA4406545B32BB0E601E,SHA256=10A2D733554914A63F86C4AB8ADB120B7D576E93B53711E5DA6321C352ADF1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.250{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C41CE11E16C1B5E99ED7A9508ABCC183,SHA256=1C6FD1E58340F794CB2BC2904B2927ABA4944F8408EBB1130989366CD9B0E2B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.018{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.016{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.015{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.015{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.015{7B03F3B2-69CC-609D-5553-00000000BA01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.601{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-18.attackrange.local138netbios-dgm 354300x8000000000000000652660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:52.601{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-18.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000652659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:53.640{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB31D93CC50D63CD34BB70244B5F053,SHA256=E1BFE175A7304B5510A942F8D6D4573824E9F6480EDBB53382FA15B29D5DF0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:53.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C16415CA5170A1259F0BD6E5D19E92,SHA256=83F6CECA7486C8295C0A367BC381824EAE6558EF6753B5F3C7FF9CB9ADB49CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:53.377{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F28100867C10F0B588D269A25205CF,SHA256=3BD0BAA4A9F2B7BD874661DC77FF77259359CDDDA41C1AB2771090BAB7E2E461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:54.646{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA6300DF319C1FB79296CA401128E3D,SHA256=4AAFF0F4DCE1EBD5C400B879D5268154938C5460B27478A6575583BB9B1A973E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:54.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B179BA905785469F23504F7636071C3,SHA256=E4B0AC24D8341129544B1CA64D1C9BDC6458E6A502D26FD7E010E6F804168ADD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:53.830{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51626-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:55.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281A9C655367C369D56CE770F5B73C81,SHA256=21F6D582083D8426346215F3E1A6D3FAF321DF70286E006B7E262089BAC7311A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:55.657{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0856C8AC5C29D848536290998FBC26FF,SHA256=376709760B3C702E06F407CD4F5947E9B2E66DE4C68B4E395E5203F3925CAAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:55.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E56558484CFC5EDCBD933A3B8D0D054,SHA256=647D6E67375C4127D7C898C23DB7AD0AC1D426B1EEC045405C4854FC691AC21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:55.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D5B4A51383CDB05AF906BB5E80F00CF,SHA256=B890034074BEDF7DFA243DF084353428AAA772FC4237BE589FF0B497A31F21A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:56.314{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0C56E0963D665658791DD1D9FAFA42,SHA256=04CE1CCE66D489B6BAA8F409FE57FB22C28282617A2D53B5D22AB69CBC34048C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:55.464{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65168-false10.0.1.12-8000- 23542300x8000000000000000652665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:56.666{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063C12C063E5E10562605CCDF637C3B0,SHA256=8A24243BF63412162991F0B5E2CD551153E9B79F27E3F164F5EC499D9BEE7E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:56.260{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2319C0445C0CA59C4CC49DF8477CA8D2,SHA256=4E013E7345699EB719846B90FF64A0A75281D2435B011D81213E9A013F18BBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:57.682{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB25900CD71C5E6E81C8249F81A54825,SHA256=24A18BC2371130FB28D751012D4AD14152B97404511421DEAD2F3415667F0C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:57.361{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40624BBB9E6BD1697F43937CE4670CF5,SHA256=B07F62FD741866F2E27CC9AB6322BB72297C77812FCC833BBC9946A00FAC88C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:58.928{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B8697C5548964CE6BD0175DBE9D1A8,SHA256=1914AB8B3DEA029C1EBCAEE54CF5C55CAE2BBD6AF16F1059974F570EF656AC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:58.694{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC1E2F0345EFD4203CB342F84DF2317,SHA256=B7E8992B453B3B0439F1E021A39353A414A12FC9B1999B2775776FC5A1FBF912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:58.362{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F12000AAC1A5765C16EF9674DEA139E,SHA256=BB3FFDEDEDE4CD23B742B0FA780AF680BFD37B69CC88D5076E21C5E792C60071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:02:59.707{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174BC123E32CDEFDE103D68F7BE322F2,SHA256=4C8B8F9472BF6BD1286B85672665AEF4CA300540CD5BA5A76A2076FFA6B5E773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:59.406{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B466021F2AD066C073450526C2953E,SHA256=CB99D1BE3CC520BF61D634A5A5634CCEE9BD823A469B9A99224AF6A794CC83F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:00.720{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33059F3183358CF0E16C97B882F3AFDF,SHA256=60BEF726366EBDBDE92AEF8DB0504EF406361631A6F1AF869A65C467C1FE13E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:00.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3441C854940CFA95E09D1D9A6A69B8BD,SHA256=67515BA944E83B724CBE680306A922BF1115620EF5C5B3CA3D82289F12100293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:01.726{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E09753BEED898246A5EEE025A50AD44,SHA256=8B78EB6C4CC2022CB15682C3B28229874F14C57A3A9843D0C1DD03C977D504C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:01.423{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FAFA4E76CBC2FCCA3106ADC74D6C6C,SHA256=9D58741242315083B169B2951CD2C6F5CC2ADB03E399F18185776272C8C1ED7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:01.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B75B98088BB4559DA00AA5C52F5FAA,SHA256=7AB01D61F1C07A3ED18F8D9E4BCE3D2E2EB31C97916F6B9C9048378B20E2F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:01.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E56558484CFC5EDCBD933A3B8D0D054,SHA256=647D6E67375C4127D7C898C23DB7AD0AC1D426B1EEC045405C4854FC691AC21B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:01.284{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65169-false10.0.1.12-8000- 23542300x8000000000000000652674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:02.738{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF6B48071E709DC4F4AFE96E0EE1661,SHA256=143764038106C87BD4951BA1B2B80AF69B8F8D3BE8FAB5971BC4A2B598718D13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:02:59.814{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51627-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:02.469{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E02E069593C0DD20DBD4E759E29717,SHA256=8B05F363F90044BFC53D00FB0FB2D5FFEA057A005810DAD0AE2AA9584C957767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:02.047{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F56E7F06A2FAF03BD315362DE7112FF,SHA256=06F61416CBE6039743930D75FA7C752980CA77DFCCDE5D7B6C79B7F08EAE9027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:03.911{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063B32EEC21C7A761D3DB840E7C0345D,SHA256=740BECB5D037E20031A46B4C4ED936DE94DD0AF7F58064248CE037DB448134C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:03.744{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4753A4661C7175635FDF04B7FF8B3CE8,SHA256=1DEEB756C408AE3EAF7B428B7502BEF2279165D0EB89FB9EBB77B51154C285AE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:03:03.819{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74822-0x381c7c88) 23542300x8000000000000000554319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:03.475{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBCDEFE1E89F97579501E9D864ABE8A,SHA256=1C7F478FA39A8DA3F30828EB596FCEEB7DC10CD570B3D971212B4A0775723996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:04.759{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5031A7F3EE93D3D02F3915F14B2D48,SHA256=ABF2B926BAE5B848D16A4994AD6BF49CDD6A76E00981B1DF9810B09B933D3228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:04.538{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2B6D8397977CF6C801B93F27D05456,SHA256=508189E99A84723FBAD2B2EC001CC6BC1EF81AA18DC65F5F242E6EA8EB53D523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:05.774{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B580E756FFBEDBD970176B2F5F3D6A19,SHA256=AE5E28C0AB39BE13B8B34F2BB086B09600337A0E7C1278F56C0E337D1B571C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:05.554{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767936DEF22080EC4490E165176974D3,SHA256=4C8A59153CA2152867FA5AC6527EB693E710113206256CAADD4532414936F297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:06.791{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BBED6C9E9EACABDA662F841E3911EE,SHA256=541A803F55FE4EC1892FD82342E0449BAC411492E0A5B77E6310049AAD8B4150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:06.554{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9934F003215CD3E9FB868BFD7A1E9A45,SHA256=E87B8FBA46AB90EF657E2CD54021F6B340099965224C6DD0583C977B70F6847C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:06.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0BF9C372D8C8819F6683367F9E9082,SHA256=00D3B531271F05B7F8DC36CD6AC94352831BE66DF42CC5480B1990FEE6046F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:06.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B75B98088BB4559DA00AA5C52F5FAA,SHA256=7AB01D61F1C07A3ED18F8D9E4BCE3D2E2EB31C97916F6B9C9048378B20E2F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:07.807{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08E75DEE90886C992B26511718477CD,SHA256=47ACD426CE649172A7C314758B05B99BED5D7A996F161B8E669A783C09662FEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:04.851{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51628-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:07.585{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2524C6078B5E37A53E20300313EC5EB5,SHA256=E5A18B2D1234EDEFF03E293AEFAD05765640EF4C2EEBF7658C6AD2D521465247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:08.832{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C9A7EA88698CE748DA903008804EBC,SHA256=7648E225E905B37C5CA999CDE026AF1086CFD04CEF9F732B4E5F78B062BA9CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:08.757{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACA9EF42D205DF4352C4FF4F9331CEB7,SHA256=80156483426669A4442DEF7D48F271D0B14FE15A1B756227BF2C35FF70573707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:08.632{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C01DF01644B28C3EC597C835E888DAB,SHA256=7FE821ED443DD4E009415AF802EFCA19D7B91EF4E4724A7E80B3981C0452A64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:08.157{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9874F38BA63E863BA15E1EA36EABC0B4,SHA256=76B7E8E1EA3031EC0D145FA28BCF11FAEDE578D1663DC99F52377854907FC29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:09.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B3C3399677419C1F3B34E6FE989A47,SHA256=723AA02539AB8B10896728A58C33C87E05927D1EEFAA65B6DFEE277D1B0C3A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:09.849{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73F6FDC1AD0B1E6BE5CB7A2E6CDC1C7,SHA256=8175E44D6D53DC9BC6ED6532A22A503D4D6F024B0C179F65D8129A0A289AF3AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:07.326{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65170-false10.0.1.12-8000- 23542300x8000000000000000652686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:10.863{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D301DFD91C2328500E655FD91BA729E,SHA256=23F1F49ED16F3ABE2EFA8CBF4BB33B09BA25730236946A01C4BDB00E925F473A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:10.710{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4518B3ED10D9D8D5E8DFCE9515A593EE,SHA256=3309AD58D22DEA7108EEC047CBD2D58AAD7F67464E2FC638562CCEB725DD051B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:11.880{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BE38F1FD365B79B66D5C2D79167254,SHA256=AB4C33B20A2CD75F89AA2929AC6008F3049BB62A0F4E18988DF848652992BED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:11.757{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7ADCD2B41A8F531EC04E345B5C80D8B,SHA256=B629AA50609B3D923279570C15A3277E328FD2764FFE2EA435B1CD5FBEECB0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:12.772{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0D13A85F3455D765B0A084842B73F2,SHA256=7F5D00F5118AC44D27AC46113836017DF4F1C54F84E948262B5D6EF7B62675F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:12.888{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AAC6F33042212145F323D9D09850DF,SHA256=DCD0E32CABCB8D67711794E53AA379730E0E4E2DBEF74F760BC588071B772EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:10.679{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51629-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:12.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F011AD088ED744D54B042438F12DE338,SHA256=6273834EDA420B5AFFF2FBE58205D1BC19B123C8DFFEF1A1B6A7FCCD412DA14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:12.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0BF9C372D8C8819F6683367F9E9082,SHA256=00D3B531271F05B7F8DC36CD6AC94352831BE66DF42CC5480B1990FEE6046F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:13.819{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F61C7917065FA1B2290261AD79988CB,SHA256=24509C843A59F39847FCFBC72A0AE423E8E9AF3FBDCB736321ED0D1D319D0DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:13.900{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1445BF5A9091B156794E15E8DDF23F1,SHA256=7B3AF0D6A9DA9BCAC8CE53B7DBCE166FD5A4728718B6F633AFB410F9074E3469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:13.183{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F85C014904AA4C2C58EF89C3FA42FB,SHA256=22D09C72D5ED1973BA159563636272E5CFB1011CA90102A187AAB790069AE72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:13.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EF437154BC177362EBC16A220FDD631,SHA256=8266F9AE92A8E005984189EB96B401A0E5E186BAAACD8EB54A32C501C0A81D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:14.866{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5C9C827405326E011D3B8DCF1FBD27,SHA256=1E155DDBE6F3F6770B66AD0E329C164BD7807F76F9C8688052BFCCD26EF374FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:14.917{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A07957429743366A5DCDD4C15C822B,SHA256=5B5FD7DD64A577F3B1B6C5FB35DC0EDAF22C0AC2AE12829E1CF3C3FB7BE16705,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:12.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65171-false10.0.1.12-8000- 23542300x8000000000000000554339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:15.882{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0F4FC668B3E58F3BF5DC7D0A2AF504,SHA256=0D7FF8226170F2B89E76EAA3D520E395D4043AB7F2328E2B44A31F66C655DC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:15.928{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6449FBD9F6554B1CA996EB11C9B9811D,SHA256=B6B191BEA1D3996DCC4F4844464E8B9BDCA7CA97A39C3E8E790E5D07BCA18497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:16.957{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D083F5879EFBF3817BB0145E7719366,SHA256=F9F0A2D3DF08DD0E6586E64A1DBD3C7311902F93A350219C180ED2277BFB2C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:16.897{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C13260A2BFD950FA45A17511B627D3,SHA256=6D304A53A59D72C87B8E0DEBAF746554BCC3D7BF82CC37E3AC77933D66FFDEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:17.976{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C94A3FD03E8B556196BE98AE94224D,SHA256=A353BE71A6CEFEDF14B09C827035E29CB03D73AAC52729091C3AC6E46EBC4898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:17.897{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B417C9F01CF73AF2D524842E833130,SHA256=6BBDE971D780B1B6363DF8E92A0DA2A388C94B97A993CB7DED43033B160E8448,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:15.820{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51630-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:17.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6164DFF0F11E8F41C7DE31A867E8D8,SHA256=84ADEA329381D136822D43AF2501868657A2A86B9826A596377E24E6C8A15A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:17.397{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F011AD088ED744D54B042438F12DE338,SHA256=6273834EDA420B5AFFF2FBE58205D1BC19B123C8DFFEF1A1B6A7FCCD412DA14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.986{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D0D50A7AA9E52D72F66DB00654EB18,SHA256=26DD296F75D7CF0691D20D43C4E49D758F15F384115B70B94908E784A5A9EC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.940{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0205D2676A33B30A8C51E9A708040502,SHA256=1E49FC80118FE32F2D6EAA0F7AD71C2D00697A0484C5EB077F70D82940106FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.939{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25F85C014904AA4C2C58EF89C3FA42FB,SHA256=22D09C72D5ED1973BA159563636272E5CFB1011CA90102A187AAB790069AE72E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:18.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65172-false10.0.1.12-8000- 23542300x8000000000000000554345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:19.007{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D62524A2198C88C9E61BFDC2E461F5,SHA256=819B860A93B83C5F7DB7C4B92C8F4358A848B271171A96F24BD0148978E6F43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:20.029{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A546517F9677DA5DE6869D380C3B5C25,SHA256=C1EC1AD044792307EA2C71D7AC7E049B98C8D4C82BD6A8FD033BD178816FB3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:20.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8CEDF1D99FBBD96F158DA1D2B107F7,SHA256=50264D0D4EC4467FDC431AA5F0BAA55469A935D8F6ECD57A2D27E6376AB1680C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:21.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1EA838773AA571BF697C25FC1FD836,SHA256=6723984A33D2D3DEE47BAF6B41FF6DF027BA8341998BFA2637EAF65905DF33E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:21.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A1C987455F725BDFD5C4AC5506FA23,SHA256=FF4BF7BFC694E72B488398A74154523C4235A22997F872532E35D62F4E91FEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:22.967{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:22.064{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97338C9B6F3A31B0CA49CE5D8EF7036,SHA256=B78C94825398EA6282998AA182C708A880CD4DB80A8FD6BBC129E89A03A2C7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:22.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F69A817843B051DF0192A782B56F0E,SHA256=311E3373CD09809B495779601523B76695722EB61561ADD7F93882B6201B07FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:23.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=690B7FEABDCD8F905DEE528F64B4A62D,SHA256=F38D94E265651E0F7DFEE035F00A85E8AE2A2C72DA4825B46EA515D978A99F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:23.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6164DFF0F11E8F41C7DE31A867E8D8,SHA256=84ADEA329381D136822D43AF2501868657A2A86B9826A596377E24E6C8A15A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:23.024{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920DB664A8EBDF272A9B078337A905A3,SHA256=F85FFE7FCBADF060B3196D465C3BF956FD8FD703A6A6EE3B0BE449925CDF76A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.914{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0205D2676A33B30A8C51E9A708040502,SHA256=1E49FC80118FE32F2D6EAA0F7AD71C2D00697A0484C5EB077F70D82940106FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2F24537D17F253E3C523AC213AFF27,SHA256=E54F5F39FABAD184001FFAD9277EE83B239C96D176BAEC27E7E2BF44AEF01E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:24.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBB47C1792341645068B65AAEEE7B5C,SHA256=2508EF42D57D37640886169755F233B0233CF34B6A25CAE645147DE33A130E3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.190{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65173-false10.0.1.12-8089- 23542300x8000000000000000652707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:24.091{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19058B396FBA0F6BE5B3B8BF9E997737,SHA256=58C3E53A2DAED13613DCBDFA7537E783A36E30F46EF4DB01EC4BC813663789F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.593{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65174-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:23.593{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65174-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000652710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:25.104{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409CC9867839AF59433BAE1E19602A0B,SHA256=E9152D942F4F60F8812E58F6482C8EBF048481DEE0793EF586BD44AC61830B64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:21.726{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51631-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:25.055{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5ADC1ED18224D8483A4646EF29A9F3,SHA256=C10920201A70598ACC2753EF8015C9C220E0A733714EC4CC1B4D5EAD8A64BD04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:25.058{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF9FE8AC7542FB261E376787AF3F058F,SHA256=29678FE0F456E1B7D5ACA2A9FADB18969B677A54B752C5D8A091D5AC01C92DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:24.290{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65175-false10.0.1.12-8000- 23542300x8000000000000000652713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:26.109{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D71041137DA5D78438D52760D12834C,SHA256=B65D5E526510C200C522571C1771BB5F0E7FD1B477D768F26CC3ACBA86072FEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.915{E1BD9FC2-69EE-609D-664E-00000000BB01}24322040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.790{E1BD9FC2-69EE-609D-664E-00000000BB01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E5059FE4DC276FC77066CD8B070584,SHA256=1A317C25324F6357ACE43DFEFF9861CA3B75392FC2926ADDCEC031E14C514FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.805{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=690B7FEABDCD8F905DEE528F64B4A62D,SHA256=F38D94E265651E0F7DFEE035F00A85E8AE2A2C72DA4825B46EA515D978A99F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.634{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.462{E1BD9FC2-69EF-609D-674E-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.087{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF8652A71B8D14B29F5302945490D90,SHA256=F13D9FC2ADE8E676D4D14C1A658246517A0ED4966EDF2BBFAEA31EE379A54F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:27.113{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE460047317B2B2F924E42D3EEDCAA5,SHA256=0A256371A8EC6A23B5510BA56FC5A0B6B6BDE5DD553A500FA80599E2D35A315C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.134{E1BD9FC2-69F0-609D-684E-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:28.102{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B07E18CD3262B2DC8686D5A2BCA4701,SHA256=830A403A839A9AF193AF401FD6F1D4ED27A7043046BFB0582F1E7C842A9914EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:28.119{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3B9080B880DA9985BC36A3F38206BC,SHA256=0BC7BF1A8FE1F5D0486EA0C951CBE8720FB4888B74C2A3B1ADF89E689E9916DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:29.305{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7A9461905542944D3B98D71C1BEA7B0,SHA256=A7227D6AEF43DB08614DAD22B940F00AA3C8C5FCDDB56E81533E26C7D47CC320,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:27.259{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51633-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000554401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:26.837{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51632-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:29.102{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7853C9CB6DA1C68D9D3882C64804607,SHA256=8C55B4ED0851C2CAAA537C4BE387FA0B8C1B95871E670AED029ACB840207929B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:29.129{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689CB380F82C2346D9FD1262D9F7591C,SHA256=D6CB167EA39B7B514785EC49FC76F8D1A2072024619D82CB77B39AAC1D67F858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:29.384{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65176-false10.0.1.12-8000- 23542300x8000000000000000652720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:30.192{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B05B3158D433C342E88983230E728E8,SHA256=31A704D39C4711A7109EF2A5A75A20C225F4C90E0C4B256F11277154B9C6C310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:30.191{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF12233DBECB4A085D7730D781C5F037,SHA256=C1BF157ABF69ABE61C2E3EE3E5DB064E3479CBD5C8A5E9C2D0A49DE29E98738C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:30.162{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4953588B3DC68A807E78FEA791A13AAA,SHA256=932AB8065A3719D188A758C983630A897648CE06193700CDB0C4442EA728D47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:30.118{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79D1C90D14D845D50E934DE49CF746D,SHA256=25169D006273BDA33911DB6C4A94338448238E860C73F9335E6545591BE6FD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:31.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1ADEF16DD1E6E303BCD8F45DC970A40,SHA256=2C023D1376F2899D0E6AA750D05D6838DB7ED22BB0B01ED8C85760370FB9F14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:31.118{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3F1566797EE7953608B038CFF7A316,SHA256=BBFC63C3FB1DBED54389FBF72C80E95AD340E3E95887B77F8441C926F19C87C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:32.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8A95343E1FCF24F4305459649F92FA,SHA256=54BC65E3AFB893126F8D2AB701B4265557FB1EBFE8A25D27929C8BD2412F992E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:32.118{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F263E32A78BC51BDC880AFF2661371BA,SHA256=35483A86D771F3406950640C6AB556122763A71973968EF7FCA6E1D404528591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:33.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB58E2650D7163CA0A41B6B87170F73F,SHA256=4C22A94C8F4B262F9630892F6B51234A630B92F999A752126B17DE4F485579DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:33.187{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E276247A9ABDBA8021AC441D939CBDB7,SHA256=C928A0BD30C3F614B883F78B85724B84659CC6533429830F33C2D84FBDC5A6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:34.198{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6496C5792F3A7698AD682B1E9E6390D6,SHA256=909C4F01492815EE2A0218BA3B3C4AA30698C46604C0799359DF99EB66AE775F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:32.760{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51634-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:34.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547AA45B0FAFA74EB5149D903DA79908,SHA256=0F321E066C0BED6AC65AEFC6798B69BF29CDA9CD007B319215EF1EFFF9E08FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:34.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114B1792AEDD50F84962047AC724B4CB,SHA256=DF69660F1BE16C479DA57E6E760FB69DFE4ACE1AF1B9CEAF9B92A62DA2CC4FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:35.207{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CEF6FB499566BEA7D76BC89F42E6BF,SHA256=0B968D275D5EB1CD47EC1755E0D4310F98BF4B7BB89F8D2EFCB91B8C8C5804B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.149{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE306BCC6C89EBC7394D6BB1E2C6F277,SHA256=34D50D3FB925B32292747243CDE7F4DE8FCFC85C8688DFFF1AF57323F1EF4838,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:35.337{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65177-false10.0.1.12-8000- 23542300x8000000000000000652729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:36.217{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBE4B7AE05A8348D05C38E5B3C64A80,SHA256=1AC912845F4CE68DF6CC85A5ABB4FFC8A5A1C5428043782B305109D05B06C715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.790{E1BD9FC2-69F8-609D-6A4E-00000000BB01}14761072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.665{E1BD9FC2-69F8-609D-6A4E-00000000BB01}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.166{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5C1BB952B8E786C8DE3A7DAEA87FF9,SHA256=772CD8026B9023DEA287A31CD2004864CB9A0D1FFF8D9A43DD057554EA18EDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:36.112{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31880CEEA565838FB25467D64BC6C4CC,SHA256=D15974F760422F545241A3B9611D776A2F4F70EFC1B6A19E2F8F997D73720314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:36.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B05B3158D433C342E88983230E728E8,SHA256=31A704D39C4711A7109EF2A5A75A20C225F4C90E0C4B256F11277154B9C6C310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:36.118{E1BD9FC2-69F7-609D-694E-00000000BB01}38242080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.993{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:35.994{E1BD9FC2-69F7-609D-694E-00000000BB01}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:37.224{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD07E3CCC944730701B52EAF8A2BA54A,SHA256=1DC5F5CF69BD179F3AB7B99874AFAB3CBE0434E1F331934CC80DEA009B9E42C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.337{E1BD9FC2-69F9-609D-6B4E-00000000BB01}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5558D3442D85858620E6D2AB1FED81C5,SHA256=DF200222156290E57E401AD53523E2214CF4A5B0300B66665030B18957CC8D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:37.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA82AD317B32A835016CCA2BEE0487A7,SHA256=A940463B805E60436C521562917826137F89DE40AF647933C2CD15B2A997B82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.602{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A4EAF0F9E799B81DF13E54FBB256A5,SHA256=C3D9D99BCCD16135ECBF2852031F7973997B7407182A68913F6AE3B66ECFBDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.602{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B265AC233385D6FBB0652105FACE3105,SHA256=422BE56134358745CD58749AFDBB099474FA73A6317ED954E08A8469390D410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:38.912{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31880CEEA565838FB25467D64BC6C4CC,SHA256=D15974F760422F545241A3B9611D776A2F4F70EFC1B6A19E2F8F997D73720314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:38.232{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABD7FC9B8C8363F18BCDDD8A8930208,SHA256=8D72C61F8ED843DF4F7541F80DA20E811534271C25791D659AAF628B961B91CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.134{E1BD9FC2-69FA-609D-6C4E-00000000BB01}38763156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.009{E1BD9FC2-69FA-609D-6C4E-00000000BB01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:39.618{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4768BAC13E23EB5E191B4295A4927BA,SHA256=91F9FD7C00BE4AD96F89250D7E4746D07306EE669F274CC4062CBEA8A7DAAF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:39.244{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A44B86FC48431A7E51CA0F91AF6DD3,SHA256=7925377097F4E6882C09C1FBC9C6D390BFDB9123CDCFD381990C2E1FD53CDBE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:38.775{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51635-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:40.665{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D27739F422D5C03BFDB851E07BF801,SHA256=CA198834E7FBA2E2B143D1DE7F68D906B9691F48D4C97005916C7D69275D8644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:40.253{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A85A23B96897A9E1BA470848C57282,SHA256=82281A8D5BC8EFF9EB2196229ED8E0C3BA9E016CD8DD86F7FC4D34AFE6C5FF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:40.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F54B9D22691A8CBAB7E525E8F70296D5,SHA256=482F4EF06A32E2F9CC7731062CA0B13E42442822BB53987396004489183185B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:41.712{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E207BE999DF57737462CA81CF3DEA14C,SHA256=7B1352ABEC9077A4E61CBFDBD39C878455709ADBC91E04ADC0388F3CB1EF602B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:40.353{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65178-false10.0.1.12-8000- 23542300x8000000000000000652737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:41.285{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEF97AF3DE4C629B55A715FA5F97DBB,SHA256=D3AFD370199A41C3BF4C3A5772AA002073A639006CFC5A1D2BE1A63C319C3F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:41.120{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C537559D7E0E1E097CAEEF72494AEF8F,SHA256=866A269C2568440E351260C93C55C2947B34DD885346997F259F5087AD3ADFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:42.727{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C078454671F6ABDEF515FB0E220FA99A,SHA256=5141B05B4129638B62A347D4A4CA35A2537886374BD25AD96C43E31B93A1D2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:42.288{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAC254577DE7570B28C014FC20CB96B,SHA256=98D56455F3B5A5911EC7DAE71873CD67F556DAF25D48B1FFD8DD34E08A78FD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:43.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B18C169E9BD7CA1F6F231D8FF617451,SHA256=484730D66BCCF4DA33E3DE05F978663D43E6DACBF6931CD5070C9386F78DC3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:43.965{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603F3DF7A01E6D20D98EDC4F5144270A,SHA256=B6A3F500FF032CCAB81C7658CF82251CF28BA749071053A26A3D12842F823220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:43.312{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1CE2015558F2ED8E6B56D08B437547,SHA256=7054BA229B8EF5299E70B180FCED5C82EFD52DE68AC4954306AADB3B5DA381D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:44.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FE429F4105B80F83A334E9B5EF0550,SHA256=0589762B4613257ACD6CB20CCAF6B1FA85AB44E648BD056E009F83015E0BE360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:44.376{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA71A05C31613848BD02AE25A87FDECC,SHA256=4EDF12E11E1D6EB87D74DAA5ED310F08673B844E8EA32F057337D30C470DC6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:45.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9BE95780E582F75242F2E800131A76,SHA256=08606AD97D348E86417DD623CFC542446F698CA3E0357CB10CEC6BF7CFC66A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:45.379{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62813A1E5B4B2F9ADE9715D527AEC9A7,SHA256=4D4B83E9978BD86DC793003D8A78FA44B533B224B3DDC80244D7574F9054B090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:45.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BB916FC52F5A05CA977E0EDE9D22235,SHA256=A24A5DACE2638AA4FB0526C4B34D3B0721DD2E7127FC035BA3B3CDA8991542BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:45.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF4DDBA34DD1FDFD62BD5F86AA9541E9,SHA256=911741C285E70F5DBC43294571C4EC6EF2B17757CCBEAAA51F88C8C579B8C5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:46.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25BDD8258C050452ACCB00BFF4F472F,SHA256=B7C0E7E04266588AB6811260318F55581ED671D93139E8C01650B1F9110A94D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.954{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.952{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.951{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.951{7B03F3B2-6A02-609D-5753-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:45.387{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65179-false10.0.1.12-8000- 23542300x8000000000000000652753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.386{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2B433144550CC53FA6667D90A2EB3A,SHA256=D4C312FEA362FED9439D805C70482E9C623DBDCBA8BC5090C1DEA3F30F7D243C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:43.905{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51636-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000652752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.282{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.280{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.279{7B03F3B2-6A02-609D-5653-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:46.155{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D083C2C9BA6C6DDE58546182C9F9300C,SHA256=D771896C119C0ADEF00F792D63CED3C58FDDD955B23BC6DF4E9CFCACEB655B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:47.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA631EF43AC276734601F5CBFB10C979,SHA256=5C972B385F798CBD42919084C437F2C8C52B0ECE6156B99A5FB1312FDB745155,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.529{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.527{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.526{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.526{7B03F3B2-6A03-609D-5853-00000000BA01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.394{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC2F41A7E21C3134BC194C9353A2A1F,SHA256=FE8D70E03753C7DEA863D1D647DE2417ADF32F57EC069B8C5BEF5B8EA5491D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.296{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25057B0E13712F652F1F49E9C1F11070,SHA256=A8C1ADBFD60F1F711F88A1B579C51AAC0371ADCBC40B8A31C28D369236BAC868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:47.147{7B03F3B2-6A02-609D-5753-00000000BA01}67047048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:48.841{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A0C4492415CB71C075D8F4EBAFBDFE,SHA256=FB181658F45F4E89BFEC879F91F52C8B75C1E8FEBE9DB42FD27D42E4D76C2F3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.654{7B03F3B2-6A04-609D-5953-00000000BA01}69764316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.539{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C166D213840615BA6FBA16AA0D3D073,SHA256=67FF25CF7D112D707D65E6E930981369172FACB602AD0DCF81DC657CDEB1BA6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.462{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.460{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.460{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.459{7B03F3B2-6A04-609D-5953-00000000BA01}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:48.400{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775BB056444EE95E7BB2F90E5528BEAE,SHA256=A5DD2BDADDC0A1019608ED82FD5A53E53E90EDBC25C715634D7A78FE47D54D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:49.843{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD1D9D9C28AFA305DEE63D57D7D36F9,SHA256=A54F650317A6309920AB0165489266842535EC516DE7F39B91B20858BEC88B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.688{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79DA9C0C71EE96EF21B04A11AAF99E9A,SHA256=0E1F1A0C08C2FE6BC9E866EB1C61EC4AE18D74419A650C30F8AA882DF18303DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.412{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2746AAA068ABB6E63FEB9C65B2124D5D,SHA256=99EE5AD59162C53D000455003074CDB1848D04C1443874E1F592427B5AAB8459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.318{7B03F3B2-6A05-609D-5A53-00000000BA01}41647116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.129{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.127{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.127{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:49.126{7B03F3B2-6A05-609D-5A53-00000000BA01}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:50.858{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9761B090A9433214048DF8B75F30CFD1,SHA256=BE599FB393FD95319C133425BF607DEA4277FF816DC1E3030FEEB798691DEF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:50.417{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1996DE1396567BC3905352C37E1BDB,SHA256=12193BCFA1FEA87D81B998952E9D23C6B1526BACA1EEB1552E0A3C397F768994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:51.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE17212418F65ACC1B3037C1212C6F3E,SHA256=3F7A2153CCC357ADFCBAA3B362C9D27C535940D164BFFEDDD7E1FC1C1D2536B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.507{7B03F3B2-6A07-609D-5B53-00000000BA01}77686900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.431{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364A58BEFC090C6C46F63B56600D3990,SHA256=53F5C207F2AA8EC245560496DD9DC93093F1EE48EF231ED7EC2F3069A1A21F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:49.750{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51637-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:51.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45ABF2617305D498DFBE3C491B120C43,SHA256=F0FEB0B5F46F556B805BBB985078C2E5162B85E1DC7C821C7105E0FD5E76AEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:51.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BB916FC52F5A05CA977E0EDE9D22235,SHA256=A24A5DACE2638AA4FB0526C4B34D3B0721DD2E7127FC035BA3B3CDA8991542BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.256{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.254{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.254{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.253{7B03F3B2-6A07-609D-5B53-00000000BA01}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:52.952{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08266722FA56CC7F6B4B26AA1558268,SHA256=6CED14D5B89D9B63866944EB5103F9A21F6D547C4EA2726BA03E87155F545EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.920{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=160D6E475E755852ACF91DBE814319FF,SHA256=03A0469FA036522F11AE6F64EC4ACC22608C390D24750EA674B27E2E2894D96A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:51.406{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65180-false10.0.1.12-8000- 23542300x8000000000000000652816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.448{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21098DDA7F01E2EA25A416D52633AF33,SHA256=E6A796C1A7EA52B82E7FC677E25C35E0DABB7A24ACBA5C6DF229B00AB0C88C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.193{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2FDBBB3F251A498757E1FC789DAFEED,SHA256=61B758D8C930068A782BD0A3C7ED73FBE5EC0FEB3059CEB19A5835EFB9B14EE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.042{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.040{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.040{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:52.039{7B03F3B2-6A08-609D-5C53-00000000BA01}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:53.464{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F6BC497D21FD114B07E17D22D76B16,SHA256=7F1BBA413C865D0E33CCD5ABD7E6676D16D8687611BC933512ADB59D2250A2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:53.232{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABD5B39ACBDD950FF5E24D8B378AAF6C,SHA256=1108F4200A79AAA23E8491275935FB471740273E3049EBFA3F90B3406048272C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:54.811{7B03F3B2-D0CA-609A-0D00-00000000BA01}9127316C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-472D-00000000BA01}4204C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:54.473{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55F176AFA80DAEFFC37A01940CD7627,SHA256=7EEA413908DD1BCDA7E5CCC96D42BDCD86CB7A36BE71F0FE2502DD03EAEE5C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:53.999{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34D07046BB74224536451F2B07D8181,SHA256=936D0CB60E9D3D03096B41E7C6910B20D971CF1D50FE2A95DAD106394001780B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:55.483{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E77FC1BC40004192B7AF389C8026452,SHA256=4D8C03CD1D5B00E3152BF98FF1C3538A319DE144E5446E48D1F0A177B8C5318B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:55.030{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0FD59DB0E6A5EECEAB2B0A67076BA4,SHA256=EF688512F83903B94AE078D6C76484B0C1E8CFB59D67AAAACDF29FB587125868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:56.492{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33819DB54F0D4DB8704036E3E0C456C5,SHA256=6087115B9E2FF50FE8373D9B15F137C2034768D08EF93BAAB620119C544DFFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:54.797{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51638-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:56.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76EF3B7E96A9B5CA5FB90AD8367143CE,SHA256=4F2603D37984D83AE57ABE8DF2DB4C2021EB309987F853B15B5F2224CBAB1ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:56.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45ABF2617305D498DFBE3C491B120C43,SHA256=F0FEB0B5F46F556B805BBB985078C2E5162B85E1DC7C821C7105E0FD5E76AEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:56.046{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BA65D97B5EEC34D42A12906B833F31,SHA256=FCEE14CCCDAF821DB35EA239700BE9A142D97062DD8AC63B4FA17B12BD1D8FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:57.498{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB83FCCA1A7C86937D2CCB321F1DE03,SHA256=D86B5F7342C2AF6A7A9FEBD9218CD093514F0A7F8BB5A88D646889BB84265331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:57.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81F70B829AFB64A8837B3D4FB4301AC,SHA256=7FCE73EEFC0ECD99858ED2E829E9A14B4C35A0AC89AFC76B7C6438953EBFA3E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:57.273{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65181-false10.0.1.12-8000- 23542300x8000000000000000652827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:58.506{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C6EC7BB3BAD8ECD54E1389EB6692A0,SHA256=0E89FA1FA437C4A1E19299897798B11B2C4AF8A7AFD9096E14827951B44B0AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:58.093{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A887C62BF225FB6568BEFC2A267914,SHA256=7592A165F32706979456173108F798520E98DC6BD2612045A76ED95C1E4BBAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:58.042{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C64E0ACAA32C8E834ED74047374E8DA,SHA256=C4CD2E1FD2FA6FAF91C9BA48D66B8278FFDF6E216A50FF80F79DE96C47B3112E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.858{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C4D221C7BA9FF0E83EEC97A336DBBC,SHA256=C6FA14BAD4CA9A0965A93FBAD642EC171BD8ED0B12875B4C50A805189194B5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:59.108{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558F65B56527AC338DA2E33597343F9F,SHA256=5933154FEEDECB2A904E387FED1CB074A8CDE0D0E0980BE82DB0B5C38A18907F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:03:59.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000652861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:00.867{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B5989A340F5D572B9544B3C5C726B6,SHA256=8CFC0172CACA4A934FB1F8D58017D3D9F63BA05F7459E06B33AAE5144B3E6934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:00.121{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87CBEEF16546DDD7CA3E9631A6DBD30,SHA256=8847402267A969FDAE98CC8A723432E551800B3F6F1FF023AFCC6306E9A715BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:01.875{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395F9ABF76BAAAB19BD2B9FDAB88CB3E,SHA256=ADB6E0D7873D2C055251A6E71A2CAA68A485D7E949F409B919BD838F1DB71917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:01.263{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76EF3B7E96A9B5CA5FB90AD8367143CE,SHA256=4F2603D37984D83AE57ABE8DF2DB4C2021EB309987F853B15B5F2224CBAB1ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:01.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8E21AF471CB4AB2A7704E173926EAD,SHA256=2087CE830C7B3C3B3EBC86D6B40D621597A7BA7DB038DB18B01EC594E7EB6289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:02.910{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753ABC3AFBED18FA92EB95A7DE130C88,SHA256=49D2BE1DEAB34808B3BC9140726C6DF56F4F2B29B32F232488616E8AFE38CE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:02.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6098A41C7CCBE47D072258651CDF686E,SHA256=0F3CBD49AD2F580CA54573E7E1E73CDF51E1333B2061D7FEF290CCC69C08F934,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:03:59.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51639-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:03.205{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210D5EF4FDA0FA0A27DA43D18EA8C634,SHA256=0DC402A120AC2CD9B77B1B1C1181659FDDDB0EE4722077EFBD8EA92D65A0B117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:03.941{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0F47694772CCCC30330FD4B1C560D2,SHA256=8497EE6960AF36B9928D73C0C31BDDD5BB9BAACA32796689D6A35194C8B157C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:03.938{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A68B114B293B32192AD274986DC8B543,SHA256=D16ED689F2AAAF8E7186077AEDA89DDEC60C5E8CC7C37FAE1DFE318F71143671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:04.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6352891EF95689D78888DF75C1D5F4A,SHA256=5956C469FF8463CDD9A9232D3EAB3D540263FD213F48801CC1D73E19D4035436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:04.142{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93A87DB37F974B280F925D78248CA65,SHA256=B9BE2BE7D51C512BACAA4024391F6AEF73C80749B5C442A3076331599D73D997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:05.252{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3F6A3A850EB0A1F48223E91E96F95A,SHA256=CDCB9A2DD89947A7C2ADDDB07AC7610C52B95277F02F68464B82B03CFDE1D062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:05.158{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6934BAA92FDE2258EF7CC8E95B341E80,SHA256=387466EF07BA6AC63DD3BB720CCC8B4394309D9159F5BD16BFFF1C2ADC9D265D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:03.291{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65182-false10.0.1.12-8000- 23542300x8000000000000000652869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:06.166{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AC0879076DDBCF7B432F8CB574E1D1,SHA256=5BDAAC8FE9B45FF434EA0B9D0E52C9A78969C56B2C63573178C23A78C3D6DED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:06.268{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A67CA9B98E18402C0FEB60C3D32376,SHA256=48443E1EF47ED4298D2726D1418E2AE142B2A327C9D35491A2001D0D65668852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:07.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB41689AB0C2043BE75F10D9EBB209DD,SHA256=1A1A9F3B5BC838FABFF7F65EC8006D3F5EEAFDD1E2829EFE2F158BB16048FE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:07.346{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93B9BB96CBB43B0AA3EC7C5F24B569C,SHA256=6EA915BB31ED7050A618CDD057898DF774DDEC3544EA516BD4BACD676FED8A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:07.080{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9CB77FB4F572E6E3D2249F3ADDFFAED,SHA256=6AA866959A7345B4EA4750FA4E95219FE28AEFB867642DEA9445938D11F25592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:07.080{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9AA87B6ECB31B0ACDCAC61330CB6A7,SHA256=68F52D7BE34194E29C30A0ADACFB67A46F49593DFF06FCFEF885A07737957D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:08.768{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2DF639181FE5928DAC915B4EB67FA1BC,SHA256=03B6F1F1C5907F88E894D517776980E4A411BD188D7363C3976857C58ABDE67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:08.393{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DBD7B4337821A9F6B7895975199CFC,SHA256=F0DFF155198ACB1DDA88B9BD14917A62908585B35E04883E5E87C4123295478C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:08.231{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB21918E2C10BD0E5E048EDCE158219,SHA256=C1D6FADD16F238D576BCACF75FCA1C801341BD314087AA2118B4CC5D2D059179,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:05.706{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51640-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:09.424{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F654C78E321B86D4257E7B567E6CA497,SHA256=306077BB98FC6BD7D9424BC8B7E8D37F4FEAE748D943334A8C56812A200FBDE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:08.461{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65183-false10.0.1.12-8000- 23542300x8000000000000000652874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:09.249{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE870C2FD713711BEE6CBD54B7F0074C,SHA256=3D4FF3BFDA486C81E8D9D70AC77603C39786BDB911944EB504109AF05F2B77C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:09.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7132E8BCCABCABAB59BB1BA2B2F9EDCE,SHA256=D1BE0A76B7532F2545BA2D06049C95552C6145B4F913899B3D0B384E8A8864FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:09.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0F47694772CCCC30330FD4B1C560D2,SHA256=8497EE6960AF36B9928D73C0C31BDDD5BB9BAACA32796689D6A35194C8B157C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:10.424{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992B270B66257128D6112E8FCCAE6925,SHA256=7D80D4A226036E534317F7B376101E281F8D9A3653072E767E965FB71FC0F8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:10.318{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440DD3D5965D772939DACD7E95E070DE,SHA256=BB37DAD6953A63F91CB21C1C51D934F866B7CAFA9E9D521520DE3D0DE588AAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:11.332{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F26DC9F4D574AD71BBA2F9AA71B7855,SHA256=0E034A33AAD8AF2D489E3FD67EEC9A3A401469AF794D43624724D26BD6D24F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:11.439{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E128D149CEE1E1F12056A5DE84AEA1,SHA256=7F6B131DE1ADB44E27D79A6E5078ED3EFA4367460182FD29E28874660FA8D081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:12.439{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2E50B0D6C3EEC1433DC23DE29C2E70,SHA256=5311224D9A74C4FE8FDE9A7F5CF5DCF636537735AF7AF5903880F3E96B961BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:12.339{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF918820D949E3FBC2B1CFAA47AB63B7,SHA256=1B5003626A4895AA471E2869D06F65892EFAB321F47EB77162C030CFB4AACB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:12.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3D2CCFFCD1FCAC30B9F34859C91EC3,SHA256=68918AC25849834D1EE00A0EAA91A7DCBB04392CD9FD843E6C603CAD46F1CBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:12.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9CB77FB4F572E6E3D2249F3ADDFFAED,SHA256=6AA866959A7345B4EA4750FA4E95219FE28AEFB867642DEA9445938D11F25592,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:10.815{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51641-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:13.471{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BC6FEE49A82415BBEAF745105EF750,SHA256=F0948D268877ADF2C55371433EBACDBFB4DB29D7EB64AE046BCD0E344D837AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:13.353{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B399D6F8E4C0FEDD1CB2C94240CECC4,SHA256=C52E46D0D03E9C8CF8043CCEC7A789C1E6696B4672AC7357EE45FBD378AF7E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:14.486{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBF3AD8088394482C7AAEA50FE7AD3B,SHA256=22BD62F47BA5E3CEF56736083D3149B14FB8768C88FA2BA07F38634F451F8A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.364{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3487039B46233ED33B3D2628BEE803,SHA256=A9DF43A51A09243CE9F46AD467F7FB440CAB4E4E57A3BDB86C73CAC851FAD988,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000652881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.144{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000652880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.143{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=849CFD52132F283700363D6F06EC951F,SHA256=9DA6F7EC41EC5759D765A1C52BF598D77A763446E1BFAB46A1C4E5368A62AE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:15.517{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF91011B9A9D6E7CBC8BC8DE539A9C1A,SHA256=3B64D3CCD01F78C08981DEA4870A68692C0D57AF0C90D2A759C2740BC831A8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.896{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\security_state\data.safe.binMD5=765B3F5937F3C6C41C3DEBBB42CA4747,SHA256=8A52C9BD31128870C6413EAC0B81DE89A097EA3BF86CEFCB6AEE29CFAE7C82D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.822{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\security_state\data.safe.binMD5=765B3F5937F3C6C41C3DEBBB42CA4747,SHA256=8A52C9BD31128870C6413EAC0B81DE89A097EA3BF86CEFCB6AEE29CFAE7C82D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.421{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB1715953487F5717508D2F1F1EC779,SHA256=53FF71716630DAB055F8C8241D2E66B6F1BFF029A2AAF40A6B38D1CD60551568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.421{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597BD0FCDDEF994AE55C57AC0FF0C1E2,SHA256=9D7D9C1CEEB41C85026592923453AA7C24FBFF4489E11FD02E0CB0724211091E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7132E8BCCABCABAB59BB1BA2B2F9EDCE,SHA256=D1BE0A76B7532F2545BA2D06049C95552C6145B4F913899B3D0B384E8A8864FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.457{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FA971AC042340D9F692E887F5533E5,SHA256=7E1A8FA0289F7A00CFD708CFC664558283297A03767B927A1C300BE81BB00C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:16.533{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5745D57A9CC64D543E577CAE7D92EA,SHA256=36A0B1DDFE49CF74C771D4646DB561A24D97AFDC1041F0AACE7C48202C8F43DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.402{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.268{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597BD0FCDDEF994AE55C57AC0FF0C1E2,SHA256=9D7D9C1CEEB41C85026592923453AA7C24FBFF4489E11FD02E0CB0724211091E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.139{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65185-false52.84.169.62server-52-84-169-62.sea19.r.cloudfront.net443https 354300x8000000000000000652892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.431{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51429- 354300x8000000000000000652891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.422{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local52392- 354300x8000000000000000652890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:14.369{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65184-false10.0.1.12-8000- 23542300x8000000000000000652889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.164{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\security_state\data.safe.binMD5=952F2DAA7DE56128EBDE4EB0123D5006,SHA256=D0CC8E8F64D42230BFADB7852F0A2FB94127BB9D491F2F8EE9BD11FED4E1139E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:17.533{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BFE391938BDBA7ACD858858CC7BFB3,SHA256=2AC29B449851EDB8EF7BA1B9820F6A0532830CB0575B07613724F23DCB06FA21,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000652902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:04:17.786{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000652901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:04:17.783{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000652900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 18:04:17.783{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000652899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:17.511{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5869A10983806FC4F0BE7DFDF1502EFE,SHA256=D574DDFC215B6C21ECDF635EBAB8464591AC33EE97DE6B1A76E2CF49A6D6C178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:17.436{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\broadcast-listeners.jsonMD5=D7730DDA6E7759262F5C6DCB4572779F,SHA256=F92E4CF9BDF5109F7B353BB675AED29DB3BD48563ED52E70031ED54DE2B0DC6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:15.507{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65186-false99.86.33.56server-99-86-33-56.sea19.r.cloudfront.net443https 23542300x8000000000000000554530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:17.330{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F1C0ADB9235718CE920F463C2465665,SHA256=C49AC0BB804A7FC899288FA08C53055C927BD7522FF856C6CF66C2625B49AEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:17.330{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3D2CCFFCD1FCAC30B9F34859C91EC3,SHA256=68918AC25849834D1EE00A0EAA91A7DCBB04392CD9FD843E6C603CAD46F1CBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.890{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECDA9E747E8F7670CB9B9618036C9886,SHA256=F39D96ED8E0972A5A007C59934D240FCB934005A4BF850CFD205599FFA40175F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.516{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5E7DFD757DDAF144CD285168B31128,SHA256=87ACE183DBE90637BAF6652A96E9EC2617DB19EB2D235B3609776CBA3212D343,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:15.894{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51642-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:18.596{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2977F5BA439EAF61C11E5780B4DCCAC4,SHA256=11720BDABFF641D201D67D22DE38CC535D77432BEA36715FC4CAF88FC520A1BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.339{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65191-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.301{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65188-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.299{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65190-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.298{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65189-false99.86.33.102server-99-86-33-102.sea19.r.cloudfront.net443https 354300x8000000000000000652903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:16.260{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65187-false104.16.249.249-443https 23542300x8000000000000000554534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:19.611{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9621346ABE5D69B9C44325F66E0506BF,SHA256=407D20065DADB83308AADB96FD8BB3527D9E923001F8AB63B242DF10AE554BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:19.558{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EDE3947B69193EF3BC150A10A23C19,SHA256=6C8DF584EF44C00B85A236511982352DD5898CDD000E6462EDB65517AC290BA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.035{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65196-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.035{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65196-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.028{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65195-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.028{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65195-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000652911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.014{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65194-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000652910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.014{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65194-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000554535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:20.627{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE4FDD75D5FC9CA1EF928AFA5FAD5E9,SHA256=0747959C84592D340FE32EBC26EF89B498B6DDF986D236D596D3B388BA86FBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:20.620{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96B2E32A47FD1E6B90A945251F5774A,SHA256=1939E602B5441EE536009E099018E42603BAB2D6FBAC360211E8C1FB60D869FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:18.418{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65197-false66.203.125.12bt2.api.mega.co.nz443https 23542300x8000000000000000652920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:21.629{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550A8E48533FCA1ABD1B6C732F153B58,SHA256=B9AEE1388E293DC7B716A3EA42F550DB82D61E618D3C418B698B03CC9EFF1BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:21.674{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0481167FCEEB6E25B5EE0C7C62F7B89F,SHA256=209C42B147A98379664BCBFD1D10DDB7FDE54E57329EFC0CA1D3D39FDBF3B463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:21.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35272B757B13CE67BF18FEFF74165F55,SHA256=3C7D6369574DFAA096FFB6BDF3BF242E36285726B02FC7B634791AB87F690F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:22.653{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B90AC6A190E9395C05727C09AE69CB5,SHA256=6DFDF97314FA3629E36ED0CD53B35CFB320CD7756283FBAC3A9AFA6031947214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:22.674{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648DBDDA094CC0C2B2C4B17C6D04A9BB,SHA256=473585AF65BAD598BFD341A99EFF522C6C67A53532390296F7FCB15D4017D51E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:20.358{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65198-false10.0.1.12-8000- 23542300x8000000000000000652925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.948{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF42E0837030BD0BC70A399912A37033,SHA256=6465908AEA5E6B48ECB238EFB5C389BEF262668090752D5AD4F8D44863C5E405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.668{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB76C9B0419AAD392AD3DDC97FF6828D,SHA256=EE5A4AAC6A0293E1E4600B45F79BF3071AF9E1D828BF9958957CD1FA95B5148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:23.684{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566D9D8AC30A8E28A0F332ED2CFD2CC3,SHA256=50B3CBA1C2CA1B4A76525D8012E7115B010F502A37F2D082730B872B21B8262C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.003{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:23.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62702D67A36871C5008B67C065B81F0,SHA256=7C5A08BC338FB027A46A7F0A5765D3CDF81B0E2181A4502D0F89ED8A80CC1647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:23.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F1C0ADB9235718CE920F463C2465665,SHA256=C49AC0BB804A7FC899288FA08C53055C927BD7522FF856C6CF66C2625B49AEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:24.692{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77986AB527FD313D54A9B2DAAD2F8E4D,SHA256=0B575C15736E76D4C5D60F95107F9AC6F832B56E10D683F27455AE251ED5572C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:24.731{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37834FEF05D7CFB1A64536061DD620E,SHA256=041B618881283BBECAC048469D1E3F14C02DF6A7205093A9EC72A333C49D0A34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:21.784{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51643-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:25.746{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8A116C6AF48D0253520FA6BABE3C36,SHA256=6AE63E083B527CB6782EE94651F7A07EBFAE9C4A9AE5AFD58149211D1A070D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:25.717{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9CD18341FAFB887AA36F8671202D85,SHA256=AA1FE0C5ACCC3D1690985A1A19F8C0606FF8C52759A2DA91097C82CA362AD38A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.598{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65200-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.598{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65200-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000652927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:23.224{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65199-false10.0.1.12-8089- 10341000x8000000000000000554557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.809{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.810{E1BD9FC2-6A2A-609D-6D4E-00000000BB01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.762{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A357CA03B68B7DB4AF39BA081661B77,SHA256=574FD538027EB44B17B22C5AE6835A19D14949F36D58C28932AD411DC8CACB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:26.721{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B562493611E380018EA2E44A4407CA6,SHA256=28FADEFCBD8D4077BC404B5CED1DF128F716564879DAA400B6165C5113A2DEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:26.673{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=522DF31CCDDEA337B81FC89CD94ECAF4,SHA256=DB70E1978FDDEE10201E7F695379CABBDDE8F36E265CAF4BEAE5B1BCBFF6F30C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:26.223{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DFB58C2475A37AECFF3FF6E292C9770,SHA256=1134B7E54B26DDF1ED6178FF986EC5771EFE5CA692AEFD4757657323DD89A781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:27.763{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6411E107496C8BDCC778F43A62EBC9,SHA256=F4F61A31C1E71E34CE21943FDFCACC134FD2F0C2E27C7A60FF1A983585F895CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.653{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.481{E1BD9FC2-6A2B-609D-6E4E-00000000BB01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000652934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:25.464{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65201-false10.0.1.12-8000- 23542300x8000000000000000652937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:28.775{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8285F6BE337B1F8A8FC405CAADFAB39,SHA256=56786629E9C89B46DAC5BB341B7C98C85535BC6BEFC33B4C0CFE2D47155439FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}40401188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=845422C5EA447E81267E036C66823E44,SHA256=16AD1AE8EC44EE0C7BACA060C947AD86C036B8797F4A3B449144B68E2C2118F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68242C26786A34EE8A1F467618299738,SHA256=7DD75E30A7FC23C5465159F1071CC6528E46AA8E167EA399906FECF54FE315BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62702D67A36871C5008B67C065B81F0,SHA256=7C5A08BC338FB027A46A7F0A5765D3CDF81B0E2181A4502D0F89ED8A80CC1647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:28.153{E1BD9FC2-6A2C-609D-6F4E-00000000BB01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:28.340{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=496DE726D213B2701F04E5AE54E6CA70,SHA256=5FD18893659B97138ADAB64E04927BB862581084A1AEF92A46E4D99C0FD2408D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:29.922{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=953A19B36EFE04DA14569AFB14F19D9C,SHA256=B6CE2341C80BB5D27D5F5239E7394E25C39CB454EB61E35C68AE733C578E21E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:29.792{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D026EB6E91CA1FA4D59C508CEF831FBE,SHA256=97E77F3E163B07BDB8DD09C60C3E5EE2B0EDA64657D6412582EA98101F0E6A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:27.279{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51645-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000554591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:26.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51644-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:29.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2E44F92453EB23873987BBDBF994B1,SHA256=9A2103AC8216C808447B255A2A976086778D37BA52025A7C8603E458C2D4C93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:29.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=845422C5EA447E81267E036C66823E44,SHA256=16AD1AE8EC44EE0C7BACA060C947AD86C036B8797F4A3B449144B68E2C2118F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:30.830{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72365F0BBB3F4C01865B5FF8F11EFB4,SHA256=78C76536321DBBF098EA551C321793999B6ED52A802E70B76CD088C293BD7D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:30.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F757034A9D759FF0718F41C68BE4EC,SHA256=1EE0704AE2E800B5A94B252B8FDE69968FA1D75F1FA2DB1AD1656B00BAA2DF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:31.850{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B63A64D6B29B6EAC608B1D59A91D1E0,SHA256=34F5454E531E3AB12045A5ADA2F5228501E4BE9BC6CCF840C650C5252FBD078D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:29.335{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65202-false185.70.41.130185-70-41-130.protonmail.ch443https 23542300x8000000000000000652941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:31.240{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5A74CDA99E9DF6951375E7C0130F7B8,SHA256=7629F46A8D3BD586B6A9ACAED5E230906DED6F7CE5B04E508CEA62A0066A5F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:31.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A020C2F94C8B64D71FE80968B9EF09D,SHA256=38510DF79FFB4E5C9E41899ECE14433C101766CA3A6C650DE8310BAE3ED63D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:32.862{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0F227513A15FE79FA1C4E40C9506A7,SHA256=9FF4346FE645EB5FE9CB0A0575377DD3D582336AF7A5BB6395CE5AEB1D8EBBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:32.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B59977BDA792EA4C26B840E16E77B66,SHA256=9EA251ED3A557088021072436DECB9D23A6568A267F38F1ECB9A72FE7F7D3BBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:30.471{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65203-false10.0.1.12-8000- 23542300x8000000000000000652946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:33.867{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB4ACAE9A8A5DAD7AC5B27AEEC73AD4,SHA256=72BFF722EECD1A626AF365BE0F3B43D8551CC5DD21185989735279A96DC95191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:33.215{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C4AAA3BA088256DCF81800F4C782BD,SHA256=32D81152DDCD8FDEA69D7BB2F7F275690BD654D240B82ABE5AB49C710D17B649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:34.982{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B28F5A03EF7D5735A209D08EEF71C6,SHA256=26D7A8874735E170CBA829B0AB387F3B71039C43A302D56830ABD850937DB13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:34.293{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0A03C0AD60EF08D7F12B3280BC4E54,SHA256=28251B8EA29E90AEC435DA8ACF0CCE83E6F09F528C640BD9108E884D173852B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:34.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F31288419179D13F5CBA82BECB97CC8,SHA256=02DB260A9F06AE3D8950DF68D4F65E423B94320A1EE3D9D60CF628724710B76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:34.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=892A8DCD3BCF4AAA207F78A986600B8B,SHA256=217D32D777E60164C1B7639DE47E8AE1BC79187FA890AD3D4F38F7303C26FB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:35.993{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517E7FA166726598D070C5F73E941696,SHA256=ED0C4DF2C11888AEB36F4629C4162B98B2850CA2CBE11F7165D5DD9A2DF44E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:35.324{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C7E7EC721BC2FCD61CED5843608187,SHA256=22B47B8EF03474E372289F990632C0773158BCE7C3E8D0C601D70FF2B11EC2A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:32.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51646-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000554630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.809{E1BD9FC2-6A34-609D-714E-00000000BB01}6162016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.684{E1BD9FC2-6A34-609D-714E-00000000BB01}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.356{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3744CB1CFD73C03D261EED259119F24C,SHA256=754253CA1A92D82D48B43C3605AB530219681407217171642BC0790FD3FC638A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.137{E1BD9FC2-6A34-609D-704E-00000000BB01}32921464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.012{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:36.013{E1BD9FC2-6A34-609D-704E-00000000BB01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.543{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4467895D4B094B5B7AFCD57FF49C89,SHA256=D207E410CC135F447CE81239F0B8CB4B1226A519A4566CE6B72CACDF7EF1BC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.481{E1BD9FC2-6A35-609D-724E-00000000BB01}3904736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000652952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:36.357{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65204-false10.0.1.12-8000- 23542300x8000000000000000652951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:37.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C156C8FBBB92BE087C1F0B4BBCF786FB,SHA256=5520229DB9E6AB51A7D0250AD3DDEBCB7A5AAE7E726D0F0C7A98DDE0D513141D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:37.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD526C60424210CB4F946818BD4548E,SHA256=8A218F91B7ADBE2F1A6274210A7638E69CB7EE8A405A6027797E10C2896E87A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:37.025{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187AE83765780982DCB21A3FBA0A7B1D,SHA256=B55ABDCE70C2BECF687245EFE0873E123CAC7C072F0D3E6516971E511980859C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.356{E1BD9FC2-6A35-609D-724E-00000000BB01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:37.028{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F31288419179D13F5CBA82BECB97CC8,SHA256=02DB260A9F06AE3D8950DF68D4F65E423B94320A1EE3D9D60CF628724710B76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.481{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B929C4997B483D094A1A932FD558C9,SHA256=5D06E31F5C74591DED1614167A1F2F61E3C61D09A4CB98B74F5CDBE561986C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:38.946{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C156C8FBBB92BE087C1F0B4BBCF786FB,SHA256=5520229DB9E6AB51A7D0250AD3DDEBCB7A5AAE7E726D0F0C7A98DDE0D513141D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:38.102{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA4093E02643DE4063525847E336881,SHA256=3EE2F836A93C73BBF906C984D79D3B89897821DE9B6CA510C1F5EB4FE11F9A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.371{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=324BBEEFFDDC21CB5CC76F3737901C0A,SHA256=AC0DE5A73E0900C5FCF8ED105768AC275C6EE06212C8573C953AE69D99981855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.028{E1BD9FC2-6A36-609D-734E-00000000BB01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:39.512{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6950FF1D3F11D8D49F489757BF11F20,SHA256=E8378AE2C2B9864D890A5CF3A3636CDEA641160E56C8D0A7DAEDACC64EBD90F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:39.125{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BD2FF0B3C9625E7C68B648FF55116A,SHA256=26C3F083E9AF1E71F4908B8744B816C21FBCC57D9561D2F6BA4D7426C9593FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:40.528{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AB7D7BBD71AC58BEDFF2E97BF78E4E,SHA256=DFB2AC4302DF8494244B01452F682C121DB4804ED526119571FD9FBD36F25098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:40.143{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922EF7A5899DB4E36EC8A4132FBA7373,SHA256=669035C80D6930DDBA062F019E063374BCE7F60CCCAAE216F2C99AA7EB9732E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:40.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F709DA3E503EED9CB1F1C981C78F2667,SHA256=885EDACCE628D1E1005E28635934D01C4D4B0A7760242393EDD032378669AE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:41.528{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C9724D446D0972374C5BA04792099,SHA256=81E6061DD5D8F41D81E9C5598D93620E17B7F945081422FE2E58EF77E146787E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:41.166{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0EBAB812FB0AD576AA3C33ACCED28E,SHA256=FAA1BAE2D1972948B8E4B5B2F2DA37855E4DED0BE5EF4B142524A29321B8BE93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:38.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51647-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:42.574{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897DA6B0B1E2F089F25080B19A730B05,SHA256=873F5E9EB2235AAA04746C735601A8CDB444B4D19BE95B5DFB9AF9B69266992D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000652960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:41.431{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65205-false10.0.1.12-8000- 23542300x8000000000000000652959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:42.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C47F9DA6513034F00243E53470CE4D50,SHA256=C90C541E3E53036663178A63CCABB2C535BD6DA827FA210B3AD5C5177F007053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:42.183{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F45CD74FFDD57BA1131B96D87CDC9BD,SHA256=3E3AF384DDE3CB4935D6CE0199DF7A7DBC0B3B652ED6CCE9BE428B43BCEB418D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:43.607{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8255C07CD682B65C348D66128033B3,SHA256=1E8DA439B01A26EDA70CFA5ADBA32BFDEE637D5491FC59E78C966B06F3118DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:43.966{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=411C416BB1622C74B76F4C08AA1A7458,SHA256=1D514BC5BE03DEB5A2C54018E90F6B0FC796BD61C39584697CDDE7A8AD936CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:43.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EBD73319FEB0AB19C91C592A2218BC,SHA256=193C8382ECE03185C997370668910D2F9C574DF7D9DB3EE3A88E6E653A41A9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:44.623{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9E4A342AC51FF52B9DA1EEFA187E90,SHA256=D19667ABA00BF3567D152B180BE5CDD476AEC4D90A9F7B66F9BB5CD199EBC1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:44.525{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xml~RFa277e94.TMPMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:44.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16849C3A8CAE0663F4642112BD1DF1CA,SHA256=7DF78E8B9AF3FFD40201D242DFDC9D7B7D5237C552B957BCAB94DE163C3472FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:45.639{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123C7C4E56AE36FDD531C419D109C81E,SHA256=EEAF3CF6A4CBB5F0215AFC4C0911A765F7DC125AD77AF1ED220C90D7BD5F79D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:45.217{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C3617A6730234BCB4BE444A4170D0,SHA256=EB1C55C5B1F155B8C56F3322E6BB0C99E56F075889C2B89998C3EBE6EEAB754B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:44.764{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51648-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:46.654{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA21C19292304375665FF18CF19BDAC8,SHA256=E64CA2D7D9FCE2C2ACBE38B07F70B3D6749A815F6B865B70ABFEB0A1C085254D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.961{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.958{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.957{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.957{7B03F3B2-6A3E-609D-5E53-00000000BA01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000652975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.450{7B03F3B2-6A3E-609D-5D53-00000000BA01}78607964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.284{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.282{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.282{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.281{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.281{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.281{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.280{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.280{7B03F3B2-6A3E-609D-5D53-00000000BA01}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:46.244{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01FFDF6E76CB48C2B9E1BECEE735830,SHA256=058216814A0014F5F1B155EF196FB284234D1EB8FF3DDFD19228F1EEC9C2554B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:46.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=342D61056B229779911736D574F78A86,SHA256=82B9073E3277FBC4F602AE9268284D12A0A553CC7A73402C4D226E6B62082672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:46.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7DA095F8B6AEB9834D1455F1EAB2C4,SHA256=124DEA611EDCE8FB511EAA19E40A659C01D7B5F9C259C913714A40BAD7725E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:47.670{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0260CDA91A085644F63DF25877ABD17B,SHA256=A80AD47EFB18F4C30B805A170FAFC0D9D284A6BCA5B7FF5AB290AF0E8BE60230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000652993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.572{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.569{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.568{7B03F3B2-6A3F-609D-5F53-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A1A17B314D5C42906D2F16FC386D80F,SHA256=B3D5161098FAC5A47323393A71200E6771DDC1DFC1918C00E02A8550B59C8680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000652984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D783CCF85DE91E87837FB8627852AC42,SHA256=5AEC328326D5C353BFF9233CE57B13D25BB2BFEF880D80B242D2CA680B2FCB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:48.685{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DC86C36D97E82359A74FE3D0E21E09,SHA256=09511367289305B98C18B7A769A6ACB6C1C4EBAC65651635AF991CD005CFD2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:47.399{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65206-false10.0.1.12-8000- 10341000x8000000000000000653004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.611{7B03F3B2-6A40-609D-6053-00000000BA01}38684848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.578{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=211C37589FF3018CE245999AF0DD99FC,SHA256=4861B81C0786A30D8C800BE9F9B912891B74BB913AAAE95AEF0E1C9722D19D4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.469{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000652997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.467{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000652996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.466{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000652995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.466{7B03F3B2-6A40-609D-6053-00000000BA01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000652994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:48.317{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F715D13D5C2972EFD52DAC38A581EFA9,SHA256=A97D2A3B0C9CCD242E36D671004EB5A81C75289E196D4901669153E8007DEBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:49.732{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94CA813BEEAC20FACF2C3A53ADA8B02,SHA256=B3A94C60692CD5704E382E3C9854B40E4F4A63A33CF504138641E2C7A468AF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.619{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32714FF1242876968E688E5DBE6D6F9A,SHA256=BDB774DC356645B9E5437548A2C291952DB037B1BF5142FA695985060D5E8F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.331{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537549A902E4D5CB8396C5879228C4B7,SHA256=83BC16ED7ABDA2BEB9D5A0F9D4EF112174BD520E8931DF3D7CFF4EE9F3C4802B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.318{7B03F3B2-6A41-609D-6153-00000000BA01}28363644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.155{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.150{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.150{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:49.150{7B03F3B2-6A41-609D-6153-00000000BA01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:50.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ADBE3F68672CE59C1D8714BDC82A6F,SHA256=E59CE300DF5110DA64676DFE0F0623028BF14730300706B760C5514CF2514555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:50.334{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD66117D1338ED8BEE0697B2C748B888,SHA256=7429FD83B3B2E94E089543743D5ABC9C5EFB2CD16E6DD2B70D7D6F7A073F608C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:49.843{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51649-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:51.748{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F9A414E13AAB396F237341C33860F8,SHA256=5B2F6A82DD7886B46DC30E459912FBE61D7436ADC5CBE5A0961A51D793731AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.432{7B03F3B2-6A43-609D-6253-00000000BA01}32207668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.378{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A529DED9EDC4D68AB7F00BC4988CF50,SHA256=B21A0D3DAF872C76CCE4060ADDF76BFD58313CCF5AC6896A6A19D84D0B49EEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:51.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A081CB534BB95F9F584DCA2BBA3B3E1A,SHA256=41171F95969B0F06531ECEF7EEA14FEC6C3117662BC32B2A0399A3FB0D27D80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:51.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=342D61056B229779911736D574F78A86,SHA256=82B9073E3277FBC4F602AE9268284D12A0A553CC7A73402C4D226E6B62082672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.266{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.264{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.263{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.263{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:51.263{7B03F3B2-6A43-609D-6253-00000000BA01}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:52.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F299E01207FF46F7140312DE209D9D3,SHA256=05D0EE743629DB562624F3FAC2CCD0535165952E7075A2E7CF92CB424BAC1580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.930{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0228A25BCE31CBE3CFD25EFD5C8F1399,SHA256=96288288E3DD9EA5EF26BD4F0A1D38BD673E12C835CBC3580CB9CF34AD4D8009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.432{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72AE985874272FE00E423E939DFF300,SHA256=BF28A967272766977CBF4F3031723684B7B257D81CAE75E5A6A56973638B54CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.281{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196234E1E58AEDA8B736A32CFF8349F0,SHA256=C00E3B5DD7C5D7F6B4F3FE92490678F958F59478C6D3D3FB66DDD4179545B18B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.049{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.047{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.047{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.046{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.045{7B03F3B2-6A44-609D-6353-00000000BA01}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:53.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A9B5F296AE2FA4E845CF1A78E418DA,SHA256=2D026F7C8A48100BFF6FBFFED20D47EA10F1C00980D1525E632C5997F6DD804B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:53.446{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06666C93662A361C807530B5DFB76F91,SHA256=04566A96C821F68C18A6F2FB9EB540959784701F6FD049531D9224517B2C881E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:54.779{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01747C4D5EF2A600EEB7EC28E642EFEC,SHA256=BA0C1E1C7AB1C8EDA6C4BBEC7B8A7022A3182154940AD0FFE96633950D3403EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:54.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FEC2D4E9C1FD588BC594B1C3501AC0,SHA256=A0A6AB0259ECB39F9DCFBDBA24A81CB637641E59704B2C850D06038C95CB4522,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:52.413{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65207-false10.0.1.12-8000- 23542300x8000000000000000554686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:55.810{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BE7475CF299624C77E42F922868137,SHA256=12C40B91A30D315D5F61903F878C53225F8074D8B54DBE0C4803ED8645F0D124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:55.477{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D864E99AE24FDBCED8FE87D52CB6320B,SHA256=E768D18380EFCD559C38257EA9BAD527161F2BCE934DD123FFA1FD6C17E7AC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:56.826{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCBDC6E5BAA60EE806D94AC870425E2,SHA256=F64E88BEA26D4BBD239FD2B94E4C385AE6951BF496B95A9025FE85C0619C662E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:56.488{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1657F460A903862600A584D5558C70,SHA256=FFFBF6B6AD2C753682FC4087A2B17344F87C852D8F2B11D6C38004EAA1EC678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:57.857{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CC5C7898D26669E618BFFAD7123642,SHA256=14C0AC27BA4AD2BB4CF6C26B977D7A72D5AE87B811E8362289D56B5BC6ABBF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:57.511{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DD7579C01FFF81FD304F3231D5B1C2,SHA256=EE1E3510DC5A4349E44353E40EA355E24B434F6B83FB4004230CF91D33EFF4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:57.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D740BCD135446850F540302CF29FB5,SHA256=79715EEEBE8298A066C7337C369256EB1F0C0E269F73EE38D894756A8F043DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:57.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A081CB534BB95F9F584DCA2BBA3B3E1A,SHA256=41171F95969B0F06531ECEF7EEA14FEC6C3117662BC32B2A0399A3FB0D27D80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:58.873{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352C3E03C282F108B8853CE578ADE2E3,SHA256=9776B88388AC8AABE9C4B34CE4CA6A90D5A6E98051D24BEDDF8A7FD5CBAC0211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:58.522{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0C7639812B8268BF609316E26E9D7E,SHA256=0C576C921FFF231A4441BE8D92A68B8E4E4A6FE9B0DA9F32E73545CA1B66AF8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:55.733{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51650-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:58.214{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61370F5EAC4855A77B3CA9BF4F132063,SHA256=C5D9233A755AA3E4CF3DA2D91D617FAEAC12CAAF1025805C09231266093C1B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:58.212{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAB9B14C57FC073EEA04CE3559CF661C,SHA256=4EAB4F5EC5AB7FD10AEFD076174E2BA5C65AAA2D4F06AC84F01B62C3BD9AC1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:04:59.890{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9594D3FA05F1AEBEBFF3F80B2E838D78,SHA256=2603005779428B6A7BAAD6461386125181931789ED452F3DB3A6CB613E9961C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:59.526{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C97A462C10CFF60899DE0018B2AA5BA,SHA256=B1E973CF3F94DD59F1174AB6135DE13BB2470940E467BA3827409EC3DDFE961B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:04:57.441{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65208-false10.0.1.12-8000- 23542300x8000000000000000554694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:00.950{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38694A591D2845E10AB44C047043DD6D,SHA256=EC152E3DA014FEEFD0473BEF35CE0750452655FBB98DB6047886B0CD52F8F3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:00.542{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E13B4257E0B4E6F8DB33B7BFAD4D98,SHA256=706D094D5B89CAA4CCDCB81AE168671B0F238B42224DC8F315133C24A96DD964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:01.982{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533D7157BAC15E81F678A0EDC44ACAE9,SHA256=9D6A324C041A68C442A59D9B527A001F45F60A95E88D1026DF8760F2DF359B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:01.551{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27551B49D975F26CAD799F61FE6EC0E1,SHA256=DCD5A13E3665EDFE146274EC4AA5C4D9051BB08057F23C70694742EFA1D525D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:02.983{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7246F73EB396772C6B5EF189FC1E733,SHA256=91E3C6F509C7238C4CC1DBF3B579F7B0E65377B2277C8D02F1F1228B692EA426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:02.569{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572D7670A0899CC26ADD31061CF68C39,SHA256=CD89DDAFE7D92A05BB5F4EA3CD31EF3E39ABCB679C68A43C2DAB87C1BE6D50B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.966{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D29B795FE92E303F093B24332D7A099A,SHA256=3056BF28BF2643B56F8B455DCAA4EAEB7CA2F4E45CAE852F4658F3D74EDBB7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.963{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61370F5EAC4855A77B3CA9BF4F132063,SHA256=C5D9233A755AA3E4CF3DA2D91D617FAEAC12CAAF1025805C09231266093C1B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.805{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3CC740F38317AD1774A10C88ABC116,SHA256=E4F610FB19794AF43F63E4257F21A06CC146044BC434BDB0F3CD6D069D65C8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:03.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16C06A291D0FD2B823EEA7CF2585B14F,SHA256=7D69A660FA93E4D9EA1DF4350DE151F9C6FE742469FB5313F422F941C1B72095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:03.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D740BCD135446850F540302CF29FB5,SHA256=79715EEEBE8298A066C7337C369256EB1F0C0E269F73EE38D894756A8F043DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:04.825{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DA4C545D985D7EF5C87EF1620DF01B,SHA256=334C695E2FC7190BC03BC4534D730A25A7CC23505EB106C411FCF59EC10526E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:01.765{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51651-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:04.014{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D63DAD7F67BE130C17DC108FF212A5,SHA256=27A8A126B2655AAC48531AB8003D811186E18FEB5EF8DB5B140E1EAA00E7515B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:05.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C099B916BE715A0F972F97EC70A2F32D,SHA256=D103E7870F52B1894A3787AC2F77B05B05C0B4E8CFFD3CB517289A6F9FFFCF33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:03.439{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65209-false10.0.1.12-8000- 23542300x8000000000000000554701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:05.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0871D9042D4794B7048C58157655BC27,SHA256=AD94025D499A34AC0064569EDE31EF1209D128DD6AEC6FC6900F7EB881602179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:06.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F94A86BFDCA09F14F9033A3E453733C,SHA256=EE8523DEBED7B06C66D44F8E1B87C42A05E0B98C34183229239C0D1B4071834B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:06.092{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CED4E6886BD575988E722B3C9D706A,SHA256=0CDF12BADB56B22D19484410B9726B2070C27E2B1BF56BB79A69429EEA920F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:07.848{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9344223361AD03ED273273C5D71887A,SHA256=03F31AE909A92D57B40AE051AB3044AAD9C846ED1093B3A3A5EBBFA691F3F836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:07.108{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765526A7EC14995FE717DC431912218C,SHA256=E26E5FF618D065FF3D6D2080EF773C6E175D376FD03C185C9439A6C69479A6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:08.863{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDDE6B4A950F2BAD4DCC9989E17403A,SHA256=8AFC053DF54BE6B8A9C51F0BAFDAABFD651E7F070F52C72A3F25117EB036D764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.780{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=20B9B5ED8561099115995F3EF267559B,SHA256=753CC3AB5EFE96018D20AD515D89CF649712F3DB47819B2811B65B238705AC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959453097D2F40F436C896AAD45ABE70,SHA256=7B1C2AD0F8225CE87658975CC97C48D02CEDC3E54DC1F449AEFD8C3650445520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.248{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16C06A291D0FD2B823EEA7CF2585B14F,SHA256=7D69A660FA93E4D9EA1DF4350DE151F9C6FE742469FB5313F422F941C1B72095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:08.123{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B440B925863F34C3FE530AAA8E78D1B7,SHA256=12A6E9ECE0EAB43F100FEF42C0507FE92ED8A59FE757D6DB288C35050A18E5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:09.906{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59624562665D434B435C17D211EF9BD9,SHA256=5C7AF6911082BDE9C530A1740A9AF08F56D4D61B8B0AA1B158B3AF4BE9E1FC05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:06.844{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51652-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:09.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A41865FB10CAF8C87D2D9BCDA6E3ED,SHA256=6AE4768C047769EEB4C0399AC6F69225E8C2C21B88FBF37CD5E49993366A1DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:10.912{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FAFAE9439E70358F1576D23A8C0C08,SHA256=F77F9450420045F51399B5362D977A7B4D4EF5F6BE29328BD731189793AC14CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:10.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC0D03A25D26A2C8834F25AFF3C5B9D,SHA256=E3EF99D1C467899B9E00AF16CFAD8E81001C2B8F4BCBA7C717826F955F684F4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:09.371{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65210-false10.0.1.12-8000- 23542300x8000000000000000653064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:10.161{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8DAD3C25732CEF87BF3A4435401872A,SHA256=36DA56136C46B7627CA350271D2E7258B1461833EAE264137861C028CC4448CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:10.152{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D29B795FE92E303F093B24332D7A099A,SHA256=3056BF28BF2643B56F8B455DCAA4EAEB7CA2F4E45CAE852F4658F3D74EDBB7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:11.922{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0EF00C8781DEBFAF2464801F3D09EE,SHA256=7270043756793CD2695F04CC0428A9623D41EE31356B1BA0279FEC7708A3F467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:11.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3663799C404048CEBB803302DF5786F1,SHA256=CED37F39499AFC86F7E03D307B0EE9B7CC6361537695D3E0AD5687042AA7ED3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:12.933{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962D31196B5B5AE0B335FFFE941F39A0,SHA256=47A36A6E8C0ADCB6FDE3A177CCF24C0F639303C75F202045E0FE9E703397C387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:12.155{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13378A6FD0FC5144FC014ECA4D94A6E4,SHA256=27EF2C6C551CE2C728B0AF2B59844D3BDCCDD4ACCD6E4D59CB3CD4CF434E0B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:13.942{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94B7C0F3CC841223E4C8DE4E12CD00A,SHA256=E6109D6FBD7AFC1FC5F27F011BDE17BEABD5FB3E9B524A643DFCE3EE2729E636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:13.170{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA5B498BEE4ADA81528E1A904323B23,SHA256=42C7ECDBCA77D196E7DC473E4FE6BF4E410D5F75A96CFFA23766581862733893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:14.970{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35552D6C348F04C51CCFCC3D5C255D1,SHA256=F78DD5674B2FD75CB6C5B5BCEAA8C3643DC7D6BDABD7C8735666E26205F859F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:14.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCCB37AE9981FE6EBEF32FBD8D9942CB,SHA256=7CF0C962E38FD66CC709518CB1958576997D8A20A5262DEC774D9AAB0C655D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:14.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959453097D2F40F436C896AAD45ABE70,SHA256=7B1C2AD0F8225CE87658975CC97C48D02CEDC3E54DC1F449AEFD8C3650445520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:14.217{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBD53049BAD7B5596F38ABE0DB9CB0,SHA256=6BB96DBC567A59DB30390C299835F30FEEA181048A8C4160328B3121DA06AA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:15.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBAB4F3721B09D8EC49D5339E0DFC7B,SHA256=0E2468646280DC1A0C308667DCB3C06D5C72E2CA532DD31132D025A83D91C3F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:15.567{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BABFC451ED31A92A20263FA8EAC435,SHA256=64DE14C6A22D7543C27D3EE7702A15871019907C7CFFFAF03955497405963622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:15.565{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8DAD3C25732CEF87BF3A4435401872A,SHA256=36DA56136C46B7627CA350271D2E7258B1461833EAE264137861C028CC4448CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:12.845{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51653-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:16.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C94030E13FA18AE71E12378C41F9EC,SHA256=D65F7AC47A7A16C641C752CD1279AD450532F3C98F32213A1A607B82BDE786B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:15.281{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65212-false10.0.1.12-8000- 354300x8000000000000000653075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:14.947{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local65211-false31.25.187.150forum.rclone.org443https 354300x8000000000000000653074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:14.784{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51750- 23542300x8000000000000000653073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:16.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF36758C427EF34FFE52F33A7D4A03CC,SHA256=009651AFFBAC6092AD0C0FD55E5C6EB8F5B24311EDCEC7253430BAC8A5049E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:17.264{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714AA3AB41B737A78D0D44F07F17EAC7,SHA256=18BB4A0B7313A2E3142E6360D03DDDE5CB7C696479F4F213B70055786B14F6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:17.080{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC24AA08D20D90BDADAFBD7D255F9AB1,SHA256=EBDD7EAD5FC572FC43FEFC6F046048C4375A8E78C44B459B4B5A19E704FCAA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:18.342{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17A7923DDB013843E4ED8DDE1823378,SHA256=A3E1453EFEEA013443D88403A00715877CA1F8F6B0248494FD94F5CC5DEDC618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:18.973{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22BABFC451ED31A92A20263FA8EAC435,SHA256=64DE14C6A22D7543C27D3EE7702A15871019907C7CFFFAF03955497405963622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:18.145{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F10BFF6698191C8D92AB69EC1F060A,SHA256=F39F6818DEB5AAA82FB6EE239876FED82B28943891F39351D51A237782F0D49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:19.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5513DA33B4285D69C5672ACE51A108AD,SHA256=F0EA0FBDAF40008194318FE05A70BA251165B3223C75941728E447E571C29C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:19.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A787B94EBE4E205C4E8510032F16CF39,SHA256=61572C59C5660B8904F1BFC2948E8FF34047FB690A5CEB4D1977C511AF83BB2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:18.750{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51654-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:20.373{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979486BB0701476A7A2D163107836F82,SHA256=D223D0C7ABDEE318B880CA897E6B461BEEBA368ECC789D822D9B9E549A48CB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:20.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682ECB6F39CE568EB31285BC00BB2C08,SHA256=F72820D8F257662A5117E7FE9B889FF55587ED17ABE8DE03A27D8A1DF4F13E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:20.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08935302234F669B34067B7E73272F21,SHA256=B5E5D76EC9DE3BEF840A83839792CC44E33AF385DF7357FCB0C9685A1118DA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:20.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCCB37AE9981FE6EBEF32FBD8D9942CB,SHA256=7CF0C962E38FD66CC709518CB1958576997D8A20A5262DEC774D9AAB0C655D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:21.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D430368C3003FBAEB758460B790ECE82,SHA256=380CAAB2FCFF05D9B48C624D3A24578B17A3E48FF5CE0DE9A5483364BED4EE0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:20.432{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65213-false10.0.1.12-8000- 23542300x8000000000000000653083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:21.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA5099108F590299213A57397381007,SHA256=E1812C778870FB8D0006128314746C2D30DB14C11FB2220ACADB6AB5A56B72F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:21.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12D2DF060D3DB8FE8EF03A474582D591,SHA256=466819D1907F1E006EF917A20C11E41A3B8616099BC08CE5667B3C9CE5053E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:22.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB070E3DB55C345794D286B7589376AE,SHA256=F476B56E9660BF4CA289DDE89617E0175E9D5272E7A6B6F7111D70CBE1EE1B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:22.233{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677D1B4DE84E47AA9E01DA8BFC40D64B,SHA256=B60C53AE22023B70846D1D49EF83083A2FC505E9A20B2942D018BE338F541080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:23.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743DCC959F9FF2FCAA1350B03868C8FF,SHA256=36ECBE46AE73D2CB4A7F6D5DCEBAB0109852E25E1B7420F35652CB033CCF23F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.971{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B6575C11F99B060E9E9B9A4A7A3D52A,SHA256=446A154BF9423A8024A3910DC4758BDF4E36515A57FC89009FD863DAFCB7BB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.247{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD944F90D0D72757B50AD92A325F4AAC,SHA256=CE1A8E00A95F124EF37012D567E1FF20F904BCA39F8B4987600309D7EC63735E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.025{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:24.486{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABD8C749D9142EAFB02A4216E51A2EA,SHA256=598327EE7D88268B7382EB9E5A138EF87F4C8CDF2D3B9D34AE24E4AC034F37E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.603{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65215-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.603{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65215-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000653090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:23.246{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65214-false10.0.1.12-8089- 23542300x8000000000000000653089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:24.258{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD83A9922463E0F60E715643449B51AD,SHA256=D55C482671CA404EE3A43E7E7B8633F37AE3D6DBA679AB945988BEB66CFA824E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:23.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51655-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:25.502{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFFAA4E18BBDBBC43A166F0CDC1D7DB,SHA256=025783D715171182FF3F2E5EDD56244B97087F387755250988E7AB802FF0CF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:25.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA7B902AAC216242AF3E4D510B1D119,SHA256=C7CF24931D438AA64C8BD99AF187C39AE7BCA74AEA2DAB96259E1C8FE04E6C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:25.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BE071FEE1603ED7FA4C709F2532D40,SHA256=0B0B21B8E96D0B7D2F060699228536D1634A27038D7C4106A4557CB739604F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:25.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08935302234F669B34067B7E73272F21,SHA256=B5E5D76EC9DE3BEF840A83839792CC44E33AF385DF7357FCB0C9685A1118DA95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.814{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.815{E1BD9FC2-6A66-609D-744E-00000000BB01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:26.518{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD8C7AEBA39E2DD71FFAA99591AC0F9,SHA256=785EA0EDDA6DD397FC2BF2D28AC85962927F7A2CC2ADF860DD5AAE18BCA415DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:25.458{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65216-false10.0.1.12-8000- 23542300x8000000000000000653095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:26.298{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCE08B8F2166CC118B928001A44CA04,SHA256=053DD8F846464AA4EC89CAC6172D38102B7A670E8B4016E1CA9E7E6D31B80CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:26.226{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D59B7282A0ED4A52793A358266D5EF68,SHA256=8D4AE77BBBA887B261590032655898BD15EB3E8B96600A7332C3781C7CBEE87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.971{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B43DBDD816CA33E5101FCA12F8FEBA4,SHA256=6D090B918071B6E981529C53E594CFC1F58C1F44D3D4AE5D103A1850B37986B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.971{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BE071FEE1603ED7FA4C709F2532D40,SHA256=0B0B21B8E96D0B7D2F060699228536D1634A27038D7C4106A4557CB739604F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.674{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.611{E1BD9FC2-6A67-609D-754E-00000000BB01}25202864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:27.313{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA185FA8341F633CDA92938053A6DAC,SHA256=A6F209FF32D535852568C68657204F6F6350FDEE58C2B14C64F6AC7B12B88211,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.486{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.487{E1BD9FC2-6A67-609D-754E-00000000BB01}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.627{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B299502DDF1D73556FE95365E9B265FF,SHA256=A6E26C08D6EE59392738DBAA95A9F6696DF70372A2075D9CCDAA5635A83FE394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:28.321{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9C7FCBB5A274A4E5E086FF0812C72A,SHA256=7224A1B1627867DB27F5DE3AD71E6720942C4BE0FAA02022C7805A715ACB4560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.158{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:28.159{E1BD9FC2-6A68-609D-764E-00000000BB01}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:27.300{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51656-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000554781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:29.642{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD519723492E4F7D5088D2492EE9B13C,SHA256=E4D15679C19C25DD2DCF9E8183D620CC390E59D81D307F019A481BD752968081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.834{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7A61B2827816C260F0A3D27A992B0F56,SHA256=F30D4AE5E9B42FC572C09D5D8CA6E7B929174EBD6A5841CBF9B7BEEF5294A918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.833{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AB030C9413B2BD158C9758C029F0B693,SHA256=DA4D7B93DD6DA942E20116D6B30CEEA754E31E9DCEC3DEF06BC1E4877FB146DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.831{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C247DD0C01B3AAB186C6ECC2E357FC0A,SHA256=382F3545BB271453B42C7E3333BA28648EF0CFE21A52A2009287CF08DB430155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.830{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=85C3FB2DDE5C6FF05CD2726C9E2C61F9,SHA256=D7B3752134AC77CBB5BA77748C760B27C5B30CFFA406E9314866C508933D1CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.829{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E6C99A8A2B2F4237B147A824616E5A1D,SHA256=7A451FF15D556F439ABFCD895419E9DE155C79A177D25FD5535FDC8AEBFF276E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.828{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A099ECCE92CEC3CD718D2120EAE0FFD2,SHA256=0AA40605038B6EE02E8D43982D12869349B91DC728A6BDDB604826934B35428E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.827{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4495591A0265CF88336D115C4766F64F,SHA256=6B8B65C1810C0F54FB00EDE011110A70C55D24589132078DFFE12C662D4C4AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.825{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=692FAA48615A03099DACB01967549010,SHA256=B2C7FDDCC96BDB820292492E959B6A9CA40F75A0449D3A2B1BDB158AFDB4B901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:29.329{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6D6D7934D2DAC20642D326249D2D5E,SHA256=4029FC0D5CEE7816601DBEF90AA649A24C637D2C8F1B46D11057B92CCFA7C056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:29.189{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=336474DC471CBDCE1C7DCE532CE16868,SHA256=AAECFA107C02239FE32528530E6574597F93CF38BF64A9ACC772C45134BDE73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:30.658{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519E8C25B520CBBB3B87F655D208DC16,SHA256=A45874C52DB0DD5F0094026CF01364A001EBE9CC72A2DF39373CA7B9B81478E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.837{7B03F3B2-D0CA-609A-1600-00000000BA01}13046840C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.837{7B03F3B2-D0CA-609A-1600-00000000BA01}13046840C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.834{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000653108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:30.339{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269C67AD307F115CE9756859FE3CABF8,SHA256=79E4280314C3E205F7984223DFF36281BEB7FAA59C92CC53141CF55FC8642799,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:29.816{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51657-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:31.689{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEF39023849A276C4BCD2C9DA615BD3,SHA256=754C5F707A6890BA00CFDF7E203B33B9A07D5202E416075700869B99D506E29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.845{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098D0EF84A24EF1395E24400F542C2B1,SHA256=92AE06EE46EB603450D66E671B9DB6B587ACA3170B001C5E93215ECCFF2C1B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5F169D4E7F319BC42143416D418F4D,SHA256=39340EE224EC4B4874FF73302FAAD298416489348CD9B17BCDCE859B508448BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.371{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A071925BB15A115638DE56F5955031D,SHA256=34A0FC948A2986146DE09D66F4B520F0F91C1790C94E6BD7C945445374AF8041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:31.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=651E038780CCF4995265C468E34485DB,SHA256=29E61C7D97B05842EA04EE2FBADA05F9F8FF98E0E7F839A5166BCDA5377EEDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:32.705{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460D67BF88077E087461DAB81752E0C7,SHA256=30A1874FB20102D6C39B92D9A24A83A55775EF22FF6533A501CD5D7DBDC4B33B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.445{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65218-false10.0.1.12-8000- 354300x8000000000000000653117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.074{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65217-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000653116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:31.074{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local65217-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 23542300x8000000000000000653115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:32.384{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF875202DA2B9F7138F7A2859FEC0803,SHA256=3769AA5CE86469CEEC6B8440ABFAC2A9624C876DDD2ACEC64E5F0D594BE1C111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:33.721{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F574CA49374B48E5968F7F164F461BA,SHA256=4134588CDF223FC14F0BB68FAFC437A2B75607836788A6CC29F35B3F481225DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:33.391{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C489FA80BF3BA702177F2969434FAC33,SHA256=11F5798F7CFC140E36B27442AC6A85FA38DE96A5E227F356F3C30B4246EFA81F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:34.783{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDCFC2D3F5A9436AC8655AA12C11ACF,SHA256=7A42F93556B9AE10E0725A7475D441AE8EDA03451A9A7CE2682D0DBBA8941E0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:33.663{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local60099- 23542300x8000000000000000653121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:34.431{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098D0EF84A24EF1395E24400F542C2B1,SHA256=92AE06EE46EB603450D66E671B9DB6B587ACA3170B001C5E93215ECCFF2C1B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:34.397{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4F00753CA85884F10686A1DDF2BF15,SHA256=22CF14CBFAF0C4114FCF451CA455CC58B0E8A83D299E58158497FB311C09F53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:35.861{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29C320A0908B0CC6E9C3338CAB47B81,SHA256=81A7910A63FDCEB028D2611DD20220F4EBF5EAEED8353B63A0E2C8D33013CEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:35.425{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265BFA475ECA7AF7A2550C95C322E5DA,SHA256=6B6874FAF34A201D2D19907D97828E2850CAEFC5EAE524348DD3BC375BAB49FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.924{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC2046B2D589B29C7C40C4EA661F01F,SHA256=5F19F4B0474A90104812E73366AD4D9B24310E43AB5BD1B3A9B6829F5E615CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:36.432{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C048CE001A2D8BC85F00F4A143DAF34B,SHA256=F2E0D4913270660B883623FBBD8A6B5079AC7B83E7C8CBEB291BCB5C86C454A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.814{E1BD9FC2-6A70-609D-784E-00000000BB01}37321192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.689{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.690{E1BD9FC2-6A70-609D-784E-00000000BB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9477239DE128AE56F6E6CE0204365F9,SHA256=DAAD7D8FED5638101CBA3941428C21E9AAA5B29B322372DBAF2C67DD5FEBDCD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.142{E1BD9FC2-6A70-609D-774E-00000000BB01}26281344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.017{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:36.018{E1BD9FC2-6A70-609D-774E-00000000BB01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.955{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F3979D8E54FA7EBF073353133838BE,SHA256=AB0877FEC4E04742D073222BA0199BF9945112147B60B104D1143323B2610CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:37.448{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B499E7511A3743D9CAD0EEFA0AA7662C,SHA256=0F81137F6F5E5608E28620746A9F5FCDCDC7AF0401604052B75A33B94095DB88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:34.894{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51658-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.705{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A4759F1C64967470B0D71CADA36C0C,SHA256=E7F76099795967B87E25E831B908B455EB2DD20B6C0FCD1112FB07C9D7A9B988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.361{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:37.362{E1BD9FC2-6A71-609D-794E-00000000BB01}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000554851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.955{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517813FB46FD93C9C166A246E7346662,SHA256=034E02C205FDDFED1447F02A6EFD2E570B8F6A785421860A202886E4D064D9F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:37.447{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65219-false10.0.1.12-8000- 23542300x8000000000000000653127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:38.487{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE4D8F17BC5D6C43101E4CDB915A5AF,SHA256=1E915F65C02CB3EACD400E4F3A078FEE7F4DE776FA4021A5C9A940CC73828522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.158{E1BD9FC2-6A72-609D-7A4E-00000000BB01}20201872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000554838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.033{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000554837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:38.034{E1BD9FC2-6A72-609D-7A4E-00000000BB01}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:38.246{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=422BEB6E67BB9FBA2687AFF96CA19AD2,SHA256=017EEEA337193364FB2543410BB662C9A98CA787F19378B7D8AB719F44A24478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:39.501{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F055C71F4B2B7B13673627445665C6,SHA256=EB086078DA4D684D322763E42C90DC1D59CBE5ED9B4B03B2D7C7A734DBC3513C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:39.252{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E4569965F46D1B5D57D1AED8C3804D8,SHA256=C0F64320865D9E4C59E1E660D5136C66227E989A3B7A5A91ECE3233E893A38D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:40.570{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A37479A88EB49CAD2CB2371D982529,SHA256=4E3AEF3D084177643988E2B70783F16C957351D3B8A19FFF7D70050638CEE091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:40.017{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A429640B950BAF65114FD019E4966E,SHA256=62C703D19EDD9EE8A163DC9D86ED8704838ACC86AAA062446B66DC3FD2B7B967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:41.589{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD49CC6E659C27E35666D3C5E124162,SHA256=D9480A9E6F918E28C4CBDEB88C139E196E4949F225987E769729FAA84E573662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:41.033{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE5367EA35CBC5C06FA18F693E41A80,SHA256=93E297FDA36C0E307AE10C0FB06AA1699968F259210C90F3E9D87598E1E51954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:42.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28616ED44A0CB6BF38BF20673F707541,SHA256=1DF3D024C3D49661FF23EB55CD06586D0BD588D8398207E3792CA35CDE7CF371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:42.299{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A734282AFB0F71E8900DDE2DCAE7B09,SHA256=D0FFD360F629EA3A9B1778EB94156F867C6CD59551F7B941FED08DF9EDFA9B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:42.095{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8BBFC5F7342179E57D496440CE870D,SHA256=AE65F1E1A3C06DADD070AF7D1C0F6256715C5C8E3BA5893BFBA13AED15605F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:42.576{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD08792CFE48EF57E5A6C550A7A7D1E,SHA256=AAF39AF37DBE0E37ACE21EF1BB5887DB1D11F8B86E58BFFE217361CA0A8DF958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:43.986{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=555B9A6B7947113EE327D179EC416CBF,SHA256=52CBF4A5F4AA027BD1FDF888AE5A68608A3815C8A70417F247F17E3346DF4FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:43.613{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA43AF2343A136ABB07D31EB84BE35B5,SHA256=383577F54DE69F9A8E1182F26CBDFFDFE78006B44523BB2B3DB567F6182DE4C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:40.863{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51659-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000554857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:43.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0371C7C6B970A26ABFC714807A6A69D3,SHA256=BC0631D70EBC720FD628E7AA5564F1DBE3E1AC2F37983DCE2C100B51BF113733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:44.622{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0142E9F7404273649EBDA1D8ED8037,SHA256=D144319625155E15DE167439F6CA624D1B44C10F3201C0A6E7EE2A2DDCB23D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:44.126{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397A0093E3C497B5C3A095B5004C1671,SHA256=91050FD6D00B307AB1677F61F5AE3156876984408FB254C8BD34995F54653F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:45.631{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFA7DB3C68CF2B72C2E61ADCC5FEB64,SHA256=CF22B9B2237218DC47DDF822C72E3FE19EF31FFECF91E8503E639E1A255BDFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:45.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BF75E0A5886F881694E8ECA7119F75,SHA256=E41607F8F13DA5E98732DE82E3E268803A86BFFEB9824C13AD973A0E5DB44E80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.886{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.884{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.883{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.883{7B03F3B2-6A7A-609D-6553-00000000BA01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.647{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A785A8D8A9E66A544E870266AE25B0B3,SHA256=2DE9C3625067AEF2B9721F1C29E78AF6C816631CF1D5D5B5411554E5A8FCE1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:46.158{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BB2B1F856B6C6531960D3F7C4A71DC,SHA256=EA98BAAC7384EFCDFAC6DBAF221D9F84ED6E7725E7DF3B1F8BE7122EFD9485AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.304{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.299{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:46.295{7B03F3B2-6A7A-609D-6453-00000000BA01}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000653138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:43.481{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65220-false10.0.1.12-8000- 10341000x8000000000000000653166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.701{7B03F3B2-6A7B-609D-6653-00000000BA01}8442820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.667{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98D8623A4E263AFDB9AEAEC814A0777,SHA256=2D8370149A6352F0F3973D159D61EFB1BB3240AC5153213F011336B699C865D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:47.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF16D67F2933D9CB33EA01F07CDBD48,SHA256=DFD2B55288351A5669065928FAC3E7E57F6850664B2C7E552BC69AEE298CE697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:47.158{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA66E259D9DA352558608BE9D1F0FE64,SHA256=31F84E9F8A9FBC5FA56CFCAECD57398DBB69685C1429EADEAEE2A7A1878443B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.509{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.506{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.505{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.505{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.505{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.504{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.504{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.504{7B03F3B2-6A7B-609D-6653-00000000BA01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:47.305{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCAE98AACEEA4CE8D02679838628600,SHA256=6B10252F4E07AB347F66CA1B387A1EB1F033E548DDA4F7E0C89D395A7CFFB72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.679{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB903E02F66DD4E70F9E0FDF99B28705,SHA256=BE942F7CB9E4EFC409383534C8234EEDF469AD2F7B3C5935458C05270A38D629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:48.220{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF80BBCB6F0F4CEC767A53171F8DA59,SHA256=036C091ED59772DA6024720030609FF40CCAB2C6755D1F6BC5F70B32EA5C4AA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.641{7B03F3B2-6A7C-609D-6753-00000000BA01}73527336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000653175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.514{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E7F39DAF34544DBB782A1934DBCF95E,SHA256=2C4CA9902E5A4E62E28D3BD9F0359479303D9D4366B3FD340E3C891E1996D468,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.484{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.482{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.481{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.481{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:48.481{7B03F3B2-6A7C-609D-6753-00000000BA01}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000554864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:45.881{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51660-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.703{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9360072EC0AAF540850DB8F9C5AF01,SHA256=EC30FDABE09E7A2BFE41D263CCFEF5F27EB0C00A9F9A319F004F6822400EF094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:49.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DC6D2432AF7AEFAB8FB7B396837CBA,SHA256=78FAEA66C9082694D296455F8A856B120003A3268B2E383DEA7FD1137003AE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.662{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E108367B32C8B1ACC56AA1FEAB05FBF,SHA256=7ED0B98FBBCBA25419840289F763BAB5343108EB7B45670DB05FCBFE495F63E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.314{7B03F3B2-6A7D-609D-6853-00000000BA01}40608128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.166{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.164{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.163{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.163{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.163{7B03F3B2-6A7D-609D-6853-00000000BA01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:50.709{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14427C47542F7C1E8A9D779B2BE61C7,SHA256=245694DFD0F7138BE1D3FDA99BB32CE8D00BA76F4544FC84B886CBF28086F922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:50.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F37E54E6ED382E50F446990E44A23F,SHA256=A7A28B680B71375A4D007CC7351A8764119CDAA27C42123E626D89D03F71005F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:49.311{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65221-false10.0.1.12-8000- 23542300x8000000000000000653199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.722{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BEB179F977044ADD6523B809B2B060,SHA256=0CB447E0E283CF10E605C8B3A782B7E04EA639A51E104A39AAB168102F3B1810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:51.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1AA28DDEF03FF8B05B6A9295E6307E,SHA256=DB964020A69089BFF65B86A44EAF74015B40BCA97A94EB3A25864F4A525D7C34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.472{7B03F3B2-6A7F-609D-6953-00000000BA01}11406588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.287{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.285{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.285{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.284{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:51.283{7B03F3B2-6A7F-609D-6953-00000000BA01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.944{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FD38BD6FC2F5483C1A11D5941704C905,SHA256=5B3A5D4C64A210D3E99DE2D8AE417729EFD89CA569AB408CD3E6171780E8B2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.767{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EC4990887DB42E53F2474EF4985B76,SHA256=7AEC8B5733FC27960B31A122D49E8470FA4C11365E7D0F83CF4F04A9CAC4AD47,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000554879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000554878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a20ed7d) 13241300x8000000000000000554877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0x3a95dfc2) 13241300x8000000000000000554876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74822-0x9c5a47c2) 13241300x8000000000000000554875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0xfe1eafc2) 13241300x8000000000000000554874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000554873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a20ed7d) 13241300x8000000000000000554872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7481a-0x3a95dfc2) 13241300x8000000000000000554871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74822-0x9c5a47c2) 13241300x8000000000000000554870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 18:05:52.767{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7482a-0xfe1eafc2) 23542300x8000000000000000554869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:52.283{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C0D2B5F90C8114CD011179AA0E43CF,SHA256=8FF79FEBB76181CF6C67A989A50A2AB03B463B8626F3BCA26A95BA84A77824F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.296{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1093855B76803C7A9D2229886189A185,SHA256=932FA54FD08D51E786FA87E3214DF5957BF40BD5442D81093E985CB36D34BBEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000653208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.044{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.043{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0CA-609A-0C00-00000000BA01}8566656C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000653203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000653202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.042{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000653201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:52.041{7B03F3B2-6A80-609D-6A53-00000000BA01}4696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000653212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:53.783{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C9369488B34B217905078CBC7CA6D6,SHA256=F1F264C3BB851A5627FB8E2FDB63AFCE06AD32A0B8DDA29CD0A485874F11CF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:53.314{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3186EB090F5422642B44F1131D624C,SHA256=2497D7DC103BDF29401B0854E0F199D1F5077BD08C1073B7CE70A93829908416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:53.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94453D123BB3C543E3C99A4AA54B79C8,SHA256=05603A413237A2BA4E35056FBD46953C0DA8F8AC0393C412E306F28938F793CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:53.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DD0F307DA53ACCC82612DCCDB012D10,SHA256=BB68027D1FC771E9576BB1E9DBE7AC87C250F0765307A3FB8BAAAB210A640CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:54.790{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2495A6E6DD92AEB55505EA09CD6898,SHA256=740A8BEB601928AA3CC85BF85D41C033628D0A28BEF76AA47B7916D1AAEE7806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000554887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.408{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.408{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.408{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000554884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:54.345{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07122BF0A7E73ECD4A6EB4DBE1EDC501,SHA256=CF48DD72C6871478B975E897673A5D0F982F6D3316A80056DA897F4AA06F079D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000554883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:51.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local51661-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000653215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:55.815{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D70F957AD4BDC8A6FF3F14FFEA98875,SHA256=F5BBE90186C56C52DF8A8039DD28EECC3165457EB23B452BB13F7F0D436BBE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:55.361{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC34BC7FC370E8D9FD8DCC6DC3DBD1CB,SHA256=42AA290F34530C055E94F54494429DA65487E4E0D0661A69CC0545B3FBC25384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:55.116{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59688D0067592E6093814DEE01A35518,SHA256=06E73EBC616430DD441307A5DDB4808F6062CF67592209034B2F8707584124BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:56.392{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF039E456DD64A8CA6055CB133C6ED7,SHA256=56689572895C9493EAB916E16691E4B0DC2D698C87C8EEBDA91843F645CBB36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:56.836{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65DE4173A64DC12E79F4966D9AA7325,SHA256=E398FD098308D2CDDC01069610FB6966ED545565DA8BB159EAD602704FD4F815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:57.845{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C014DAE341934B4C1037B7EF1A699793,SHA256=4EF1C6C69300B3B3DF14C31A23787C789B79D8A4834279F2E8E0D517531FBBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:57.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702F308721E6CB056E20AE9C267C19B5,SHA256=C2086D289A00ED9731DB15A3DF35577BB6AC2AE019BCD4DC9BADDF89273DFA38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000653217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:54.350{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local65222-false10.0.1.12-8000- 23542300x8000000000000000653219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:58.873{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C01E2921D4EC5F662954091CA07BDF1,SHA256=CE54BEB8E3B766837A1A7B99D2B032FE5BCD5270492635DE920D63B5861CD49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000554891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 18:05:58.408{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DBA22133FBCCDB71E675A647B37C5D,SHA256=E56E4D09520F35AC44F955803739BE019274380EC9A6755908D6230BF3398646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 18:05:59.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\spl