23542300x8000000000000000595059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:58.709{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EF5D356E100FB9B3176FC492A5812D,SHA256=67C05B2F1D1B112FAF866BE69488A601DBCCE1F9DE037D940CEA5801757C2B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:58.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985BBBD9883FB27987D124BA817E3804,SHA256=12E0F819164FF15A068BE1E19B19562DD50BB224ED27176DEEE978294F667EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:58.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CC16319793AE9F84AE64EA5D56C30C,SHA256=A530D695BFA6E71C53C6E6DE3F3E8B13E7D9FBCFDE16C4AC8F130CF4A8138269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:59.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF78E7ED2E2F0E6E77B8E0C0ED8D7A82,SHA256=E23C6A61A62398CB437DE6FA67BFDF4B4B987E4C0DE960FE4FACCEB2831A10CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:59.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D76A77044B8C5271B0DCBADECD28137,SHA256=DDC94081719F1240A46BD1EB8241F311138F0B17B16E249497F39BC3FCF07B6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:56.040{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000648771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:59.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F50789B323F6E9C50B9EFA9C3E9BE4,SHA256=E16B4D4C1C0037FFC00F0DFF3531330931FC29CCE4EE626CB2E0BC565F72689C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:00.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714B0E66D12D0CD894096BA21C6DA2F6,SHA256=0709F52D5AF233B0CC5326ED9A56DD8981B934982FEBC57F8CB220F22C004BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41026417E2E001A2344C3E4871DB40FF,SHA256=DC39CF12890CE20DA7193ADE8CF2B40AB9F2C25F3D65DA8F8E889C86E6B167DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:56.837{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000648775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:55.647{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49795-false10.0.1.12-8000- 23542300x8000000000000000648774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBCDD570C42203144ECCDB21DB576E98,SHA256=AD5556240091B54A8526856720CA9BB7F5EA69AED2552CBE790DDAC2D0ED020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.201{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.607{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD8D7B53F657863E176ED1C47361B30F,SHA256=E85B22F7D0BA4729F643F6F2AEDDC380AD00A0A1A9E4E8EF3D729F827828D4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.451{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A9CEB4DEDDB3AEA4C1BA6060F2035B,SHA256=AFE9AC7CAEC1419A0D7DF020B31929597FC9B8C607F7E6594374BC2BBD1CC5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.881{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D5248E43CD0665C041233A21B885045E,SHA256=03320D18AEDAD15A8690D40E0886C922B9E18C951EE709A02D626E7F452AA38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.772{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4F2A49B5E9AE4B3AC9C48931AB19C8,SHA256=6DF70C7450707CCDBA39CDF93C45BBD24000B6F0AB3FE8BDC1CA905639B54049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:02.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4B04E9DD59BC339C76B612D7A914B0,SHA256=796F3A7D2837C04A7168D3FDDC8EA7CFD8C322EDB2F3FB4EC2B8CFFBA017D535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:02.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB663A4AECD942E23885880C4CBD49AB,SHA256=AB096FF29F068320AD791489C264E9170EF738DA8B5B4B9C5ECB8E22AEF2C0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:02.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7028BAB2159182D04AAF3CBA4F7AB752,SHA256=165B0E27F93F6DE889A15DDB24492E0BE899A4B08BA61B883EAE0DAC48867AEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:57.709{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49796-false10.0.1.12-8089- 23542300x8000000000000000595067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:03.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD22AD3C322D1E72876C0A4AFBE347EB,SHA256=9FCAD0E10FC3E7AF6C96194A0C7AA4FD2262A0BDBCE513F20AEA487C017F57CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:03.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9F728AEE9DD8CBEC87B1DE0582C6F3,SHA256=9F5462FEB334DFD25A5F18D7BBD566C9982403F7880386349E9457676A320177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:03.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717DAD3A67ED79F8A8A952AF7E67891B,SHA256=95DAB9FA88FDB530448F78F0AC9F57A0A50E679A691AEC8BD93AC2F079436E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.866{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E896609C3C343E5DB8AB99A32DE718,SHA256=696D7769B4060BFD1B7959B6FCD5CA20E0358B4C9714B87EDC079CB94D577B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:04.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EB5583421F6E267EF31C54E2D29802,SHA256=80326389086B86BBCC2DAA265B83A0CF536BBE6E1859EAE0A3B2B506298F6900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.084{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999BE1AA2581BEA1EA955870D17D2476,SHA256=8F38D5FDFE414B5874BCF0E544116E897C62A37A515009BB75C51D9723D1F6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.084{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9991BCAA9C0CD92C4E47AF4D825FEF8,SHA256=52B79D4215F988BA9714ABE11FB5E291FC95A77EEC174E5C96D93154F1B9BBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:05.928{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB15ABB4031621D27928D8A7BD735017,SHA256=050F4E052B549CE5F6BC394774883C01C75BC1AF5E2CD7F0632DEB651F1106D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000648788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.522{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49797-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000648787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.522{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49797-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000648786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DD1E5774EFBF5F638DDED8CA7470F8,SHA256=344C8DF33DC406E8A0A53F9E5C121F09A04F7B60E0DAE766E35D197E6B126559,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000648785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:04.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10067232A13DF9DFAFEB8A256966EE4,SHA256=DBF67A3A90DC9C7F9B5A552EF1AEBA325283B01AF56864F449CC8DAE48387042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:06.944{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356FDB9CDE919E4543E0B712C3BBE1EF,SHA256=3BF31B124C46963B90B2981C1FFADE4ACCAF2273FDEEB7051C602DD0987151C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0E03-00000000C401}5960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0E03-00000000C401}5960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000648797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.616{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49798-false10.0.1.12-8000- 23542300x8000000000000000648796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1B092C496D38AB31843BF893450C33,SHA256=DD8D8145855491462F38E8725D29D6DD59DCDBE5768A5D3A29934A0A3371421B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.139{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8344DA0F03700225DE5F19EA2CD1E207,SHA256=FA92527EC45E3726F41F41ED0C1BF437416CE1BC029CAA13EE1AE37E520123A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:07.959{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267D4CF6BC11C159E85465ED849FB894,SHA256=6AFAE82900A1B0019FC08652B0DE5E5641BCDE01A24F388AD8B0E67FDD1F27FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A68058A2C9C70356ECB810AA8A55B4E,SHA256=C06EC709988418C8725D0294442FEFF417C401133EE40495C5FD420068D14F76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000648804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9140D54A6F4592CE08D30B83B95F7A6C,SHA256=EFC6B1D22B6DCFD28ADC7113EB324912B328DC58B275EDA1923DAD4F6056458F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:08.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D578BC9F0938A963302AB182B3ED181,SHA256=FF07A9BB44AF30C1577FB52AF6D61269BD036FE6A569A844E4C6DD735579F54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:08.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F12D2E6D6E9E07DB6FA22C377ACD38,SHA256=85631B00402F4CA18B665FC3DDFCB628BA5C801FED84F39D6CEFEAF62E183BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:08.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444E7D32F1D817221271C97A17AAF129,SHA256=A01F931E563DDBC87510F277726713ED84D27D652E53F7ACFDA3798536FA25E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:09.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A84DB7A692D7F484D271748F7B90DFC,SHA256=F58B76D086CFF71E930F4DE69674E1FF5C81DCDDBA13E3604D620F334B961D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:09.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99B983DE935E41377B72CAC3F48B2C2,SHA256=84E61480B4050B59C80BFB727BBF4E5B75D174CB0ADA5F1DB7A9D9068A5C4F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:10.779{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45556A14A12BC2F67960B544C2562292,SHA256=960CBC1F62791B7BF607E6AA57403E593969C6BE5D272AAF01F923CA107CBDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D2494EECC23C882F8DA1DED82A23AB,SHA256=5B8AF5B0D4632ACAACFDABB5948F34BEE73BADC95650F390D453FFAC1F81E395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:09.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E94B56AA682FFA269872540E8365534C,SHA256=27DAD1BF18CEAFE9D2C1601616C4145D9EB71374FA9EE4E1E4984DC904490D5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000595080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:10.928{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7587f-0x82cd14df) 354300x8000000000000000595079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:07.931{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1E6535B5C5D81A16A87014B84856AB,SHA256=57AD61D5F46EF5A281B659A72C5DD71DF6852C5BE0B883359BF26E894F9C7EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999BE1AA2581BEA1EA955870D17D2476,SHA256=8F38D5FDFE414B5874BCF0E544116E897C62A37A515009BB75C51D9723D1F6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:11.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B67B6EAF49A650EC9F6950F668FDDE,SHA256=DDDC8676910E8FBCFB11CDAF52D56F5EF0AA8B94B88583AE76CF86224A6C70B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.647{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49799-false10.0.1.12-8000- 23542300x8000000000000000648817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:11.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=806FE827AA1D97B969A029384AC65E57,SHA256=21842576ED0C266D1F4803393EED9A4A4018C4F689605678DE03669D696FA868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:12.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD392496489D15390A92CD2AD573284,SHA256=7EA029A50036A2D42AD1EB2328618DA7BFAF8FAD0D7A71AB72F4561395DB5075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:12.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A1CE1D068A3677B36C1A71BF4B3ED2,SHA256=11DF8F535ED2A9F3288A1E1C9B35D3FC4F5FBAAC49297461DB13F6E98CD21FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:12.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8947ACAD4F1D7CB9C50CAAF0B1E2FEA8,SHA256=4060E89A6CF412BAC44C62B8BAE4B1DD22D06A90114ED45240994A60DB1446F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C40B366183CC4BAC5F8198375CC6FC6,SHA256=B5FB740B40B62A3D29F95265C709E7C596D3780E4408A520A8281606D3DB67E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:13.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188D35DB6845105DFFC8AE2DBD3DA4D2,SHA256=BC71480D5580D1144F870DE5DD8C66B3681581BB3B0C97E0B0DEB9851E5330B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.812{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E2A102BA874C87B9C0E7BA0270867E,SHA256=F0E7DBC6BF46A712BD5AB97753D66C3C88D99DA739FFAE3370DCAFFF549A360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:14.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5D52AAEC446F8C264ABC1C375A3372,SHA256=47E7291F753B1A4EECC7DFCCD2F6A7FD5EFF8971D574F8197AEBC0E540BF6B12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.670{D419E45B-DE52-60B8-604E-00000000C401}35846860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.499{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB3D2A1DA0B0E23D12759104BC4F7BB,SHA256=CE1E4DB3D6C424D7AC4CDB2D237C3D80401E1A4C8C1B65D1E1178CA1D9CA420F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:12.993{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F112CE5F47605F44CFB643AE600FB961,SHA256=177C1C9188320A219F5675E499DFDE15E9E22614BD475737D198C2D6D42B56E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1E6535B5C5D81A16A87014B84856AB,SHA256=57AD61D5F46EF5A281B659A72C5DD71DF6852C5BE0B883359BF26E894F9C7EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.116{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2C7BA0E9FB5548C8F75C0D7EB87CEB,SHA256=B52143B15A683343CB00398917032F481D73BA6B3E9BA39D9ECCB93D232BA664,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.873{D419E45B-DE53-60B8-624E-00000000C401}19206916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.717{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.717{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.704{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D98E3F36B87E575B4772BD820AC0F125,SHA256=395383B1A1E0A3B7E95EABBEF2C1098E2605E51DC71A085EF30282E78B1F2284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.295{D419E45B-DE53-60B8-614E-00000000C401}50366780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.078{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AC064DAFC06556DD269DCC48116486,SHA256=2B439BF6D0AFB5348305E81976F80CA36016176F6D1DC38E754AB8AF346DE191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:16.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAC96958EAA1093C4C35B9E7F5222E6,SHA256=E1A2839BF9BD116505CE3880E67B09BBB238B12EC9E1B2504974E2FDECD60D7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.600{D419E45B-DE54-60B8-634E-00000000C401}46881076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.412{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.398{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.014{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58EEFF381C13B47850EE69F233450D6,SHA256=851B9C9140C04A7C9A18B75429325C7012CA87251915A55936469DB5724791C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:17.139{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C450F5769AD062A5B2F1CA77B23A43D8,SHA256=A5D798FFE9B8FD8C567DA293F7A002FD83AFD5A67ABCFA9B268590A607B97E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49800-false10.0.1.12-8000- 10341000x8000000000000000648889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.741{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.194{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2969B68F9E1F06FC1D3DEC183D57AF,SHA256=DCB6F8EA7846E22CE982F16119D8EA8522A49C06C0243D5D3A21B653AF75D062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.194{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD30B9BB96FE4D2FC3F269AA23FD9EE,SHA256=FCFBF72426E75D432984666DE05BD9EC782DBA6D611127D006242DE2A75F2E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.084{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.069{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:18.155{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FCA5344EBEEC4C6691B40B25EA7174,SHA256=121E13CC97B0B0A69C60881AE35E0CBBD0048D5780854AFB2840DAD52658D56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.350{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309F836D90779D9BC32A7492625AC94,SHA256=CDB18316A284856F380F39C350CB12E35AC8A0929971D0CAC691906EB519EC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.334{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7460CE2370187C60D1D4E28D6A362844,SHA256=B4A47A335E30266FDBC66C8EE043F852277EB09CE150FB9EE405E072811DA93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:19.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB71019F91E73E0FF814E9C18AA7F71,SHA256=8D0CD25D146388B2ACFF90F0EDB7FA28F0CB235E92F6D604C8525F265F93EE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:19.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C60B854B7648D289C0FF73BDA48D29,SHA256=79F9D3E90BA96D0C6952577A9B8F5347B418B140C3639344F9A07CADFF8956CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:19.170{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157B495E3BDD32CCBF809DEB785BE3DF,SHA256=DAF123A1AA756F62CF1438B0166D0409078C55CC53706D695F200EBD70D0A76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:20.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7FE44B379F7AB6DA3276BD202441DB,SHA256=2D42AA68B5E2864B7C23BFE3A5FBD443CA216FBF03D4A56519455F1BF7A84D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:20.381{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21715F309A36096CF626E328F3401F7F,SHA256=B4434DCF1C385E773593768A71BDD17810B5E2C338CAC2424924508EB5E40E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:20.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27518F35EE733D4A2A0E6494595BA21B,SHA256=84E6D3D37296D6442D6A8734DBD0F3A8DC845794FADFD2B3771F61F3EED6E74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:21.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DD82C6C436C7D115F00225C71DB2A7,SHA256=027A6D9D4680478DBD14CB70620CDF80727AE526F35DC529A6B36FC307BC0CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:21.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055316202FF7D7F780136C30C22B2AA3,SHA256=E14C0C9575216A8248CDD1BE3221EAD842E64C5B6AB3D451DDE849AEF5270F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:18.908{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F39025D1F0BCEB1653929BC42A0B842,SHA256=5DC506F7549F34C21886F8D4FDA20F5310DEBE81853CE3BE174EA5B17A5CE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F112CE5F47605F44CFB643AE600FB961,SHA256=177C1C9188320A219F5675E499DFDE15E9E22614BD475737D198C2D6D42B56E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7610D2BA47557E983A9AD752E305F1,SHA256=E7CA19201A7B00616FBDA88D5A0BE220D2BF46F40FB3D23BB7CF4B21690D58BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:22.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C392ECB669DBD213E02D690F6BA8373E,SHA256=FCFAE1286FF4EDCFE5D044C6B3C92EBD6A7EB318BBEA5BA9743044BE9A6D85A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:22.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8BE34E58F53F7B308560849F3D9607,SHA256=0605FC47049FE9ECEBD08D74BDA7B7FFCA7DAB151E62BFB503D7F9026CCFA713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:22.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2A4AE8952DF04591DC1A3D7F931DD2,SHA256=B8C9F64EBCB7A223037A71D8FB10E8FB6B76CE640334ADEED38C05930B0FAEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:23.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8803EB028F90B5C367DA254443A6A4,SHA256=6BDBE1E58305C3DB8D5DC9796FC55B70A2D1A2296B6C9DFFF4DF9F7C7C34A8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:23.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB15866F84729F17E9359B86B6A10B3C,SHA256=622E9615ED16C1CF90739D3E5D8625822F0D065429DB687F290080FBADD7D5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:23.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5FABB36A46A73B7E8BBBEFD191E7F5,SHA256=189C52C8FC8F810E55A540F06DC35791ECF469809D801AF50A54FBA67D9771EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.733{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49801-false10.0.1.12-8000- 23542300x8000000000000000648904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:24.490{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E8208729F87724D8AADE9856B8BC4C,SHA256=B643330681BE22D721112B53F6189742CDC49715110E50140AC2944A32D49C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:24.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE36B185F4863391F2DC60997FEB4C1,SHA256=96C7D99D987DDBFA5CD1FE89E39BEF66773C39F49B14B7031F11453942D5B426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:25.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10FDF10BDD7B220F16B4C75DEE1F7F6,SHA256=2EC775A3952F520A13571B87C5F1D2F0003DE050F5A27DBAFB8F2BB447F8AE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:25.280{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0B0A7A1969CAFA82C9C6EADA1E06B1,SHA256=CCBE147D3CB5BC7A71A71D54365F4F6F2E070C952DD4E642A36BC195688F9976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:25.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B7180769E423EF58FC64B7BC016794,SHA256=1E3EFDB8541179ADCE704B4F545D374FA60F8B8FCEA1A23327C0D770CAD4497D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:26.709{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6937CBCCF382FE2F4206191179442A56,SHA256=304AD5F9F2E92F971BCB88F00C370E63A093D98A6A4D584EC19EC19146A7B113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:26.522{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9636BCC792E09E86984DF27AB3842250,SHA256=248CA1C76EE481A8DA31D8BFE9209629233C680477A4EEE64241FF2DB1F18C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.280{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785F343EA9F874030691A25FE6B13575,SHA256=59449590FCA71758BC8240E93F70BC72D61E7CFEEECD5B520CC56B51C8439828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D920DF74F38FF595E4524E0E0D3522,SHA256=85434622A7ECF4332B8C4F41192B8976058D16ABD803AD0617C8DDC22D7CC965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F39025D1F0BCEB1653929BC42A0B842,SHA256=5DC506F7549F34C21886F8D4FDA20F5310DEBE81853CE3BE174EA5B17A5CE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:27.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE27964F81A7526EDF1A2B635CF96770,SHA256=A7E8532937189882E545FAE66CC193BBE25F55B341E544AF04355BE7BDAA4309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:27.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96D5D543494CBFD9709DAF705FE63E7,SHA256=B4FEAA2C8182507207ABC6AE43224EC7E104C8776A4FF982842562BADAEDEDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:24.064{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.295{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FDB38C09790A06399E08932F7AB71D,SHA256=C03983AE0B759CB27BCF84A2B826A6385A8A9294DC2260829B62879F25A712EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:28.584{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620CADA9F40C9A15C449FAD9EB3495B4,SHA256=677AADA612DF19EC5D9F4C40F3EBE96E2FFECD269E78DF8B3D5CCD5FFB0294E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000595127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.780{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000595126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.764{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.764{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-DE60-60B8-4058-00000000C501}37281084C:\Windows\system32\conhost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9D3E-60B6-7A08-00000000C501}33644988C:\Windows\system32\ServerManager.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000595109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.728{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000595108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.686{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=EBBFDE2738D1C9E9FED762F1CBF83657,SHA256=CB04DE3BF92BF291A75B4632BFC234BE80439240408911D6113120DD2FFA7BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55E5865A323D6AA1B444EA22F0CF1CF,SHA256=FEF54DDD0EE4935C13E868BE5C1A5497015D31233D7686D47C08C3A824ACBFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9C6CE768F304DED70FEF16AA5E6AB5,SHA256=1B349A07AB28FCBA2F8A35842749AE5403CE12E15ED8B495C9C02D717166625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.850{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F36AF52899F9DF8FF2ADA69C3B5696CC,SHA256=451C7C9EE7E9420D0E721F34C5E57C2DFF463D5E85A4CA13ED4E8E509D26BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.850{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=877F793506A34AA7BFCA4F3314899146,SHA256=2E379D8F458F18B21D0B5723B6FBA945808D34FF3F614FAE5F2085797B333F6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.725{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D920DF74F38FF595E4524E0E0D3522,SHA256=85434622A7ECF4332B8C4F41192B8976058D16ABD803AD0617C8DDC22D7CC965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A29B13ECB3C951CC83574DFD571852,SHA256=F66BE9597F9CC8A666C4FB688E48124A61A1CAD08B4F59A4A72B667D6F004942,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:24.623{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49803-false10.0.1.12-8000- 23542300x8000000000000000648912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.022{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EE1A2A8E5489D0A1B34CE5F49189076,SHA256=A1800137E90ACDD3E45477FFB2F1BA4EBC113547EC24EA810050289BA2A5D3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:30.631{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A039134736EAE3B22831B104C2124F6D,SHA256=C0D03308A98E981604BB0C10BCE4A479A5B683327FB2E43149BFF15587BF17CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.612{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49748-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000595142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.612{97C2ED32-DE60-60B8-3F58-00000000C501}1092<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49748-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000595141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:30.350{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E835722A8C9D886EAD637F2DE2B1A359,SHA256=07158CB401C40FFFC0C95D3A9F1C31A0B0F1452F289C1C5D1BEB90CB53B26196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:30.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D70BF2655F31596A0619510155563536,SHA256=9F18C7E0B37E72E099364FF25B6957F3B1ECD83A0CA2A273523F919E9794BEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.694{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7378A01D1612DD298663FD52A2D9A82F,SHA256=9C99C5E16C2A78CC33F807095963DBDCC401437B416F189D86A2ACBB0A516284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:31.378{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F560AA6479C1892651B802AC3DEFD2C,SHA256=8C923E69B9722AE196AB16D1E1DFA931DAC3335BEC9E03D52DFC869565C7DC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.506{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A36049CBA90C4152B0E9FD88E633FFFC,SHA256=2E6DF80AC96A5E8F0F2E0FA839DE3BC4515FAF033B3677A70E651D0EDB179152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.365{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68AE10BA37C2CA080837A4CC1EFC8D5A,SHA256=8E9830AF24609A7E28EF81D7F2FF7F9CC81C281BDB7E525D98420166F461715E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:32.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AA56D346CD659464F242C7C948C3B3,SHA256=404F95B0EE76B6F7576053113B40218CD072EF7FAA092F6E92A1DCDC559D6973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:32.380{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCF9FA16A92EE6EE79C1B3769A180E9,SHA256=1D7A12B333CD7EECC81C4D1D4048F1B926B9C21D41B35F6A89B512970AE81CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:32.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EE3028A6D43E5CE1EFE697B38C5505,SHA256=9C76C48E0D1BD78FA468017881B5EB01E8A6E865A7FD0EE0D6A3CC936DC4B435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:32.146{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA891BD3A3F750257B3A39AA5B87661C,SHA256=E88053856A92D2B068CBD3B02E03E48D7000596CDB1AFF05271253C2E8398E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:33.724{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668DBCC2CF1ADFE3574FC695ED74179D,SHA256=691C467231178BF64E531E62CF3092ECF426F243283F75ECA09C82A512D6BC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.943{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:33.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A7909A50DE77A75FF53D14111072BB,SHA256=05C347DC5565DD86EEA851F2AA5920142F3985693E23336FEB7D9A6E65FBA72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:33.492{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78C48561265B15B86F5120F1B828525C,SHA256=4B6903A91EDD958CD66568AC8E31AB72C6B58661AA49409AFAAEDBD5CDD588CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.654{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49804-false10.0.1.12-8000- 23542300x8000000000000000648926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.961{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1C9D3ADFC0427C52E9BAA8AA28115AA,SHA256=F81F0EF2B603D68E8582752E2CA0E4FA09AFCCE5DCA80CAF7FE8FF80D99E4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0338A60B9127A4E5811922B0982ED64E,SHA256=C948A02772BBF6E97F6B829A36560BA82EEEEEBDADF389440916BABA9A32F42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:34.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3373C33D25516873AFBC4384A55E454,SHA256=22E44C6B3CFA7FCE4BEA68F5F72962E50DE0559CAAE357EB71C6F43D80C144B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:35.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55A912F3775A82CE03AC5FBC4955046,SHA256=D5C904DA97422D8A25C7A16A2675F8F1186C18F8FFD1709F407341DD1DFA5946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:35.411{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF08B6B831AC7753962AFCD1F2989B71,SHA256=016DDB1C2B4DC65CED0378875821497CAEFCBA68D7FA3FD565AE0D67710219E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:36.764{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE2C1B770BF49D05FC9E0765E0627EB,SHA256=AD34BD8E735CA010B0D43E37094CEE11897DCE6B3285CE08DE4BCEAE131E10F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:36.413{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA8945BF36481447A5F791F3A2CB4CE,SHA256=F548A043CA1DA59450A6E68186CC103FC63812DF422F99DC7FE483DDEC241086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:36.102{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07E5D7D6D2CA20521B4698A640B64F26,SHA256=D74AD96C6F38A1CA9A005FFEAE13E60D559567B099624B308049ACE834AC0812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:37.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64E731BCB14D8DDD4C1CA02C4EDF4CA,SHA256=2B1C0774A92C98957B46F4C6D54EAC84A7DBFB8E692245B96560C3EA5586DC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:37.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63483B147739955DDB7683232886752,SHA256=DDA7D12336BE5920C492B7B1940594037B30366552D908264803B23B3A045E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:37.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34FE5FEDBD86B28E5C6EF83CA4054768,SHA256=7BF0739441DE93FC4A9CD3ADEBC949920C4BC66B84AFCC5169FBC4FD0C1F8F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:38.889{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEB3338C00909128A16801896659114,SHA256=E4E881C425C251927565E2B98007120CFD0250764B1C65DF263F5D525BA37DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:35.884{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A43E60EB9E50E69982B9D835F6ED0C4,SHA256=1A9A801FFF5231DDBC23B627EBE15FBF8C11DD7791FFD8663895CF6F150F978A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:38.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=630ED712EF71948731149CC43F2025F6,SHA256=5451BA4CCC158481A4D4379B42FB5390411C5C9801CC8B71C20EE74EB0931965,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.740{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49805-false10.0.1.12-8000- 23542300x8000000000000000595154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D795D9A2EC7C14349B8602FCA5CE5B,SHA256=5A64880C801C03BF200C1A52D183242F3FC8564EEC2630527AFFFD85BEB9E4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D9720E6B37D298A8514AE7730684DB,SHA256=9CDD5317CF87918551AAE5D531C65004A5A46995F117E3F42FC10896E1D60CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.905{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667C76C22409732677BA38DEF0C6A694,SHA256=4D935956C19DCFBF3E530F1D66E9D7FE499CFF592974B6F7862D38E861235DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:39.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8F11B780DA00D666749D382E41D1E4,SHA256=3B49B9D5F55D7268483C3961679654CDAF7A771AAAB196CC75937B640E67CEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.733{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3268E526FEBD67E64D69A8B1D93CE4D4,SHA256=D46DF7F403DC7CD709AF59CEF783BCCBF90F31465013CDBB70F27C3A4792EE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:40.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66FCFF7ACDF3DF6F4347D5B8B6FA24B,SHA256=40158D995BBEBF4B34BC3BB1009DE91B75D50184D77343F7554D73F5849E7171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8020C665EEBC336120176AF5F9EAFB54,SHA256=16F92D47673F4F015F3530DA31F0B9143567BCAE11CDECA9AF651D069E18956B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E02F8DF6ABDB28D6B2FF4C5320BC254,SHA256=C5772F779749FFCD6384FFFDF8C5DF6892734438EBB67139F01E6E4C84B74D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:41.632{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDB5BCA62B7702EC6E6962096B92F6E,SHA256=7551DCF8637DB92C6F8F1F73F3829F457E8B5B056A134BFEBA137499355A9EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70540FA424E8C3698C3855030A674137,SHA256=3FD056E6D3CF83C85670C37ED541711D75D03E837A88A128794DFCCB6A71B610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE06D5AF2AA560F42D697D6A7CB6A473,SHA256=4D69C1DCCC4505700424F240F7631F677EB4BF436EAD221DD124521AE14E3A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:42.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924990F16816E658510F74F6E4367DDD,SHA256=1092A3AA4EB5FCA2C1D3FCFD40EE9B7C928CE4603F3CD9C7BEE2E393ACD1B196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.647{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9806B87C67D7791B0E28E80123CF96B5,SHA256=3F2A34ECD343BD9E80C55FCE7EB43360AC7FD147C66B8CE42976C3A3A3348277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:42.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2DD5C9F217C5EDE4E03E4C096FAB2DF,SHA256=921162201248718C127643F77ADAABC2384CED75B41EF23EA635801D48B9A4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:43.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B60FBE0D2CF7418EEFE98F8926889A,SHA256=F04203C5D91FBC5B358102A13D2D5831A88B2953D67E286ECEE067B3A911E239,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:41.073{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0480841E70241D44F00727BDD277F349,SHA256=D75A6A8ECFD3D416D7ED1B0F90EC3EA8998C9089871A832DDF05FDEACCACEAD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.740{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49806-false10.0.1.12-8000- 23542300x8000000000000000648943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:43.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE6975592BA9B899FCAD1B861206044,SHA256=7CF5C5B2691CB7CD6E02F860D8CEB0640F28D6536BCF80CC62F3C5A0B24A3580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.335{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-772D-60B6-0100-00000000C501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000595162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.257{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01083638B9A949EB5AAE481580CED864,SHA256=29F9E465DE56C62512D06E3BB10E7BA1A3F3548D010E20ADDF07B28205D53881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.257{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D795D9A2EC7C14349B8602FCA5CE5B,SHA256=5A64880C801C03BF200C1A52D183242F3FC8564EEC2630527AFFFD85BEB9E4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:44.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9368CC78C44642BB732E92EFA202977,SHA256=BC659B5E149295C52F843A4786AA830DA23D2E63D31B627E5912B70B8CEC8729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.169{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49752-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000595169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.168{97C2ED32-772F-60B6-1400-00000000C501}828C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-236.attackrange.local65172-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 354300x8000000000000000595168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.168{97C2ED32-772F-60B6-1400-00000000C501}828C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3039:5f36:2821:222a:9ae:ffff-65172-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x8000000000000000595167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:44.680{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09687E9A093EBF6A14AA6417E9A17C77,SHA256=88086AC1F6ECC84578B1D886C2C920D1B73F135D75CEE2B957F4DEB3A611ADEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.869{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49752-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000648947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.868{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65172- 23542300x8000000000000000648946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:44.295{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ADB328FA6BF164F8DB4D6137C976489,SHA256=6EEA329A0E861EEFFF91D080422652227B1628EF63C3E6BEC558F65F8D2B555A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:44.336{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01083638B9A949EB5AAE481580CED864,SHA256=29F9E465DE56C62512D06E3BB10E7BA1A3F3548D010E20ADDF07B28205D53881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.983{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5B4D9D70791861FDD8B8547023ACCC,SHA256=EE711E8393227B2D6C7DE99BC57D25686E5A3F8575DDDA6D29AC820E99395CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:45.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D34D3ADECFC270A2384C91A861CC8EC,SHA256=6B0B0252B78FB7EF0AA425B53A042A893206EF44B1F730BD2C6A0A0665CA00CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E86212D30096779F7933D2E63F47BCE1,SHA256=DECD91ABA6DD06C5242021FA5C92B25D7661F3E639CBD917511AD652BCD2361D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:46.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ECF3C2ABE2DFB98BF4A5A81B1BC846,SHA256=03F8378490BC7300F5246D5B7E8375F65B6BD34E50B3E7E9BEEC41B7C4EA269A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:46.811{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D499D25CF1E8E83A82D6B56FFC781BA8,SHA256=5901CEF6F1F865A2C5DAF94F69B028D420DA07634D0C4925289F13D5F755A07B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000595181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000595180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0963649d) 13241300x8000000000000000595179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x35c89f00) 13241300x8000000000000000595178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0x978d0700) 13241300x8000000000000000595177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75887-0xf9516f00) 13241300x8000000000000000595176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000595175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0963649d) 13241300x8000000000000000595174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x35c89f00) 13241300x8000000000000000595173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0x978d0700) 13241300x8000000000000000595172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75887-0xf9516f00) 23542300x8000000000000000595183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:47.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9473CDA787CFDEDFCF911DE639587051,SHA256=B79B94DE170A5CCAB50E0D4B39226CB9C3641153D52C6CC625503A24EE2C1D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:46.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED8097E9ED0C4DB99194A8589CB1AE8,SHA256=6EFC836AA7DCC47E4C573030A4E2970B67163EE1B511898259E3964A0F46012F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:48.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96640354EA1B3D0A66D23590CB4F0ED9,SHA256=C670D5C66D3E448B6D55764C1DD8871E7E15B563ED4CDA4EFC6F517BBA08F392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:48.186{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA0697728E342BF859B6F28F1D9A42D2,SHA256=AC97EDFE5FD4C351FB95AE4ADED88BE84C63011FE06F5AA4A7CC20EBC09566C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:48.014{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3746DEBE9673141FDD37B702EBA62C2D,SHA256=15A445DB60F9D87B9B8E916A6CE8B1E0FF1ED1F838DFD6BB1EC2F33858BCB9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.852{97C2ED32-DE75-60B8-4158-00000000C501}7404180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.711{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7511F49AAC6166B956DEDB2EBCA58C0A,SHA256=C7775E2A01DF8A8AFC913592343B4EB964ED916368BE5DDE9D35EC27A2815A6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.772{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49807-false10.0.1.12-8000- 23542300x8000000000000000648957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:49.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D330A6350264933D0ABAA4712417CCA8,SHA256=9E84FEFFCE82036F5D19CE7DFDE7FC4493015D97AD7C6576C13ECECD18C818B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:49.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C489AF3BA65C9D0708A39DA497B79EE0,SHA256=4805E92A9669C11DAC1B00ADDEE517764F0DE9C8B933418AB0DDEFB5A0FA35BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ACD191BEB281153C343F54B08F0D670,SHA256=6FA76B52E74D34AC88C2DED7D4624484AD209ED0F68519D6F321172FFC4D1410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C15DA3B57E0817A30163E0CB2D612D,SHA256=34547E6D0B96B04B93A3CFB052FE73546FB188F9CA9E1DCD65C09CD128E360B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E460A25AC61C15E8F4EC5CA92CD8127,SHA256=379B2145D8518A685FC8222EA9B003F5B25E784B3FEC3D1E6348AD4B1CEE88D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:50.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=864D143996E98127F281BCC931C82540,SHA256=5B180D3A435557B1DFB2D66C9C25A4BE0371B257AEFEA68B7F3F6B3F95CA5E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:50.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1712A10B035B9514270F4423CE514CB7,SHA256=78F83BF28D096A090E578B66B76F9E2880D21DD7FA726A88CE0899EEBEE4A69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.524{97C2ED32-DE76-60B8-4258-00000000C501}44164296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-DE76-60B8-4258-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000595196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:46.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.743{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD720BFC091893704EE08E546EE7590,SHA256=5947D51D631B9FA7EF4CC1F9F2D20BAB46840B5F207F18470219B3FFE6BF5546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5EE0E71CDA32A94FD5CAF02798D42E0,SHA256=628DA347158AD913FC68D35145ED91D4BFB03B97F89505D0A572DC1C3746CA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07903F8A49AAD4984656373E924BBB4,SHA256=E39AB43BD4CB8D60102A3E1FD43948071DFE30100DDFABEA885BF7308C1F2DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.195{97C2ED32-DE77-60B8-4358-00000000C501}34761724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B8DE36F2457F913C5D47218EA1C779,SHA256=2346B910F74D9DE513117D846CE6A9C076634EE8ACFA46B85070313A2ABE43EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.415{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6133628B36EC94F8E357D6E2C6841EAF,SHA256=BFB46D82CE168DD13226DE9050AF6EA8AA1CBE0B6ECE055401C9B3B81A299994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:52.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBE7CBFB0F2CB506FA59FAFF022F494D,SHA256=E64E6F4E3365D1EFFCD012D7449CF71150DF270523B3108BAD1B2A84CBA08FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:52.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FECAC0196DC94C5258836EFD9166D7A,SHA256=D385F83FEDEB24F6D14182F7E3C3E74FF834D31861086E9756FE32023FAF5B1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.899{97C2ED32-DE79-60B8-4758-00000000C501}43205372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.759{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.742{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3632276AAB7D0674BFA4EC8F81B99A9D,SHA256=DCE45E9957446F24F87320996A526E462B2AB02B2EDE7A5E5E8BEFE25B5D33EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:53.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C14DADE14CECC0DBAC7723532EB7974,SHA256=6E4BFCAF549951D940154FEEAC930FCEE8E8BB119A0E16057681483FD3B819A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.446{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8CEEA3D848E6286FB4092E27BABD7C,SHA256=0EAD732E7EB1676A864FBF2766173CA1A454A6E33FCCF73F9A5A26A4BFEB11D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.087{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:54.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917CE648DF35028A0F038A96A791D4D6,SHA256=738ABADAD29C6D7AF5A1EE241A666B271958697256907C54E6E752B44E136AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:54.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B2B49EFEC173DD8DF00FF153A9CA3A5,SHA256=6F81C214563175D8A1778DD78092B20306891B22FAFD377FC3F4996DB247D692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:54.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B2EC2D3E4FF4CD1F96BED9661060A6,SHA256=50DD91B02213D7E6A59D8AFB58EEDB708B4AE26312AEC95D028D9955DB4540EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:54.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F5A1EAA440D885D15409F8E2114464,SHA256=4D59FC00017CDC1398C81665E32D51DB3C2445352CE03892D8C7703A0ECD45A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:55.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DCDBE7435928802E44F171E13761EA,SHA256=28865A95338C54A906968C9CB09DEC8ACC4544C7D1C2C6632EB7F44CD7A90441,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.995{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000648969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:55.420{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D543C440D3CEAA864D2F8D4847100D00,SHA256=CCED230F6EDDC9803301EE7F2FCA4E00990C483A35BBD1981D6870B58141D151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:55.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F300944A61BE44EB2E03BD2DFA41D61E,SHA256=1ADF4B4500DD79CF71F355AF7DDECAACCDCDEC03A8D27B8204990C55EA309D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:56.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8188D0B900F7D907AE62001C6280AF1C,SHA256=8B1F2E46E8ADAB0DFDBBB41B314262468EF20FED415C22F28C9936EFC2308312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.662{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49808-false10.0.1.12-8000- 23542300x8000000000000000648971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D340B7BF318E31FBB02E4E9B02A1D7,SHA256=A8C71EB92002C7AF02F20736331734DA13C4A3E89FEABFEE8B1DBDA1151FAA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8E7BF53F10E326C2B443226BC1F3FE,SHA256=56BA5A97202267F902E1BEC43604E6D91DCA4F9BD7244E143B8F875DC4E7735F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5E174471A92968B855CB35AE2AF272,SHA256=F9CF4C517930122934DDEEF62A6BBED1D6213229EFF8912CC966254AD08CEA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C4A82A821B64BCF6F86C3615A3E49F,SHA256=62B636F021DF7DA004D70EA42B10CF6EB590D2A155C25B020BF834E03DC5152F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.096{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B909C3D1E82B3821402B9C280961DD,SHA256=78E58F78CBEF50BFC33DD6683DEB407E6277422979BD3CD7878A074B4506B566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.245{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:58.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E541BBB6363361C3D8B2902056282CA3,SHA256=36D42E1D7A477048F7B4F4BDEEC7A9F170DEFAAEE4094A6AA435EDF70EE076A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000649005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.955{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000649004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.924{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.924{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=004D010A5247AC911E18435353BF97C0,SHA256=C0E6238F51660F10FDA76D18A0DE8394EFDE392A979428AFEC294EEB03C05A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.580{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.503{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.503{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.440{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.440{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000648996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:51:58.393{D419E45B-DE7E-60B8-674E-00000000C401}4812\PSHost.132672019182057544.4812.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000648995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.377{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gcdcmc5r.vri.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.377{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2bidgoer.ldg.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000648993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.299{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2bidgoer.ldg.ps12021-06-03 13:51:58.299 10341000x8000000000000000648992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.268{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-DE7E-60B8-664E-00000000C401}61004948C:\Windows\system32\cmd.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000648983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000648976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.167{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000648975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA77A7B3C7EFF8ADC1663FC0928FBEFD,SHA256=83C536755EBE2E7B75517AA459DE36F4DB8D1DCD4A1FF54070ABD3976BFD60D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:58.276{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AE19543D9B17C8A331F358B4028199,SHA256=A644B150CEF2B7CB0AE522DD0A072C52A42813D46E3B500BF03CCE7B9E80A2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:59.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E583088C7A552F76044B769F57FA936E,SHA256=B27F00F1CEBCBE21A79C91819C95DE54F765F611E3D127A0A338CE19CF8D7CD2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.176{D419E45B-A18D-60B6-EF0A-00000000C401}3200win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wx0nq5il.00zMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wfyuldho.ywuMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_hpzxallb.vi0MD5=5F619D07A23D16584AA58EEDB1DDCCDC,SHA256=9BBE6801B3B337A07A8B6DF0B52E2C4BB76EB23B35ACC78BA59041690A073EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_lc5xhmwd.rxyMD5=16B8F0400C23275FB5F7BFB175F7B491,SHA256=6980226153F7317145EDF65E684F2ED03B242E37D09FD059138BFB51A26F6401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_2wamxuo1.5rcMD5=15200722E11C8FB935E1EB3A62BD407C,SHA256=E06941E35D85F9C7A3CF19EBC4D157BAA9AAB7FEBF4592E678EC88E2B4803062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.612{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_mpgymmk0.vaqMD5=8078C8B8E62CCF450959319A920BDF72,SHA256=EB58B74E3B8EF39F459C613122399757C936A71B94221CE3B7DDBD2B179A5322,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.580{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_umiif3bs.kx42021-06-03 13:51:59.580 11241100x8000000000000000649022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.549{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wx0nq5il.00z2021-06-03 13:51:59.549 11241100x8000000000000000649021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.549{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wfyuldho.ywu2021-06-03 13:51:59.549 11241100x8000000000000000649020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_hpzxallb.vi02021-06-03 13:51:59.534 11241100x8000000000000000649019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_lc5xhmwd.rxy2021-06-03 13:51:59.534 11241100x8000000000000000649018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_2wamxuo1.5rc2021-06-03 13:51:59.534 10341000x8000000000000000649017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.502{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.502{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.471{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_mpgymmk0.vaq2021-06-03 13:51:59.471 23542300x8000000000000000649014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF92DF3A6B70C7DC6986B33C047E3713,SHA256=63469EA8C045E6B6AA12803691EBFEE7E8FF5263C459CBA2E23658FE4A146C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A56A952B1ADABEA10B182D8024E5F68,SHA256=56F792541E3D0D7589713688272F9C45C0B31E7FDAA68E82C87827812FF2E065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5E14646F204E0D7AB4ECA3B765F376,SHA256=2432FFA60E54FABBEA5AA786E6673AD4B140FCB8ADC59479FFF7E6BC41A68171,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:56.061{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:00.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83F1B5D6B009A7827E74935E726CD2D,SHA256=2EF79051DA68F9C1E7E2F4176B365F7B37E33A531F9667CD58D9C7C5C468A411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.037{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49820-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.037{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49820-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49819-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49818-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49819-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49818-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.815{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD02F39143D42F709753A7F742927172,SHA256=C512B8130083F5D1FF387013D81B68D1065BCE0689A29240612458B9020796A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49817-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49816-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49814-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49817-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49816-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49813-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49814-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49815-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49813-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49815-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49812-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49812-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49811-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49811-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.456{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A9DDF13D430A73B2F0B2FD3370A1197,SHA256=8586E2B8D2D86B26992B99251ADA234FC72F73A8679C4464764DA118498813DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000649038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E69109EE16D4812AA1BA3475A0614D5,SHA256=8336C4F38C45B7727D1BA4CA5000565B5A995A2B2650139ACC4B45EFDF9A7EC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.904{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:00.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B6D8F4146B9B2BE5A6EEE256E8DA2FA,SHA256=1CDE5DDD599B0E00B2F61081E315C7C8B76CBE29220CED91305A00E85478B572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.221{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.509{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49810-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.509{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49810-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.480{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49809-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.480{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49809-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000595270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:01.886{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5DEBFCED12D98C40A6E2C603F003C5F4,SHA256=1AE9B15314034DB941F0C19BD67334A76A50DC2AEA2562B86FFE34B319D11F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:01.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BC4B91CDD322F8327E8985CEEE2687,SHA256=15A28ADBEFA4FB03BE5DEFED748DDE6C623EE2F8A53975D978C75FE10C35DA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.729{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49822-false10.0.1.12-8089- 354300x8000000000000000649067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.604{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49821-false10.0.1.12-8000- 23542300x8000000000000000649066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCBDB04644FD3EE7BC981C1108351CD,SHA256=925349BD2EE0F0DE505BA8FC0A4DBF6C277B513B022F12D950437546311130E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.455{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C348FFA4973D8456189F6A9193B9343,SHA256=4CE801E12AA786BD2B2B25CCBDA8AA6149FE4F8CCE6F3DF619BD2433E3A6EF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:02.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A9AB9280CA8739F2A8E90B652DF5A4,SHA256=87E53DFE7131F49851F037CC3ACB5E4E3B4EDD38E05A37C92EA14B53E5CBB54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:02.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F469FFE7C59BF227DD663784523EC8F,SHA256=075885EF9614EA45D5F521A3590909E81C5F203EC0CFE6642D27349E01401F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:02.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D4ABC55B42FFC7DB1052CCDC211764,SHA256=9F2807F266471F65376F1143AF5A40D2D2A5FD93D5C7B29F7FA524CBDDD6C067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:03.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250CB454E25ADB3D2EF85AB166C8D89B,SHA256=144892C263B7C7AC7A0AE48CFE8ADB20AB8004A302ECF6B66D5418CCF03D11D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B8EAB45DD79BE4593C7C9639FA10A7E,SHA256=71DD7533978D4270CA79F8E1A36F8C0D8EBB08DCDCC6898E52A629E507A6CD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E555CB7168F83DC19BE02BFD7FF0BA5B,SHA256=90F8C47A2B600CB2F184794D5CB2BD751F6D5B75A80AED73FFB09B0C67E1AE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:04.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4670135D7C46279A0E025D6655B3DF0B,SHA256=758C08E5CB7D45528763089349CDCE76E2D64B389FC663502BCC41A058B73892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:04.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116DA717B4B8CF327917BBAC3E9FA313,SHA256=6053EC2563EA60A52E13216CE42B11A858D8548E87C91E5C71D4D71787FB3F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:04.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD3C33F6276E9658E291F65A86A59F6,SHA256=974171117EE27B2FA401F8295F97443088D2DF045798192C66AB88F6AC506517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA894E80770B408731A251770125D93D,SHA256=0372DBF5AE37DD40B45662BFB77687AA0D331F96E8EC1C3F92A4934B4E18D9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.424{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.346{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.346{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.285{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.285{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:52:05.252{D419E45B-DE85-60B8-6A4E-00000000C401}4888\PSHost.132672019251046846.4888.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.237{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5dqybcmf.bsa.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.221{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yca021bn.ddp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.190{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yca021bn.ddp.ps12021-06-03 13:52:05.190 10341000x8000000000000000649091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-DE85-60B8-694E-00000000C401}8602716C:\Windows\system32\cmd.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.104{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.080{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000595277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA63524F8068B40B171A08640D98572,SHA256=2A19E57554E011AD77C432357F08BD7E4C306868B3AB9D469DA96AE127738409,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:02.920{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46597AF6E5B2E480C3C6C6C485CC37BE,SHA256=7E67E77D6E622812A1C91F3DE9CEC9BD58EB9826E64A7538031EC2E4F8F2367A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE7520DFF186B82F560D2E9653066CF,SHA256=443415F838E4B3A06C68581081B645B6A298332633CAEA8FFEA4B2ADFF96F603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75C7221CA3E0AD9F185E3F6B7020007,SHA256=8E93C5AB719CC979D2AC167EB79759C728BEB906545A91DAAE7B842C19909AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E0A5B99CE0AEBE1B16364B28B11609DC,SHA256=4162CDBBA698FC8033705C626460C4E96AB1D869468C84FB2DACA9A5600AC8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD56CBDAECBF2270BF66A283BBDDEA6,SHA256=40D753C98FA17EB0F0AFB4F3866269F325F169829C7770DC96881B2E63595E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.542{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49823-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000649102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.542{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49823-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000595278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:06.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F004DD245C70B907FE12FB45E33DB8,SHA256=576B295FE1A18A8EE590BE6DE506A82CC1F30FB2D265EC5A6CE360743A0E22BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.377{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FDB00161E0B54F82C4965FC5EF24DF9,SHA256=552175DF7B9C63C7A3A9464901F8EE356457485571A569D6C3DBB2643C3F6A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A769943EA77DD115D7E53C407F2D0947,SHA256=D21A6927A245D6227183356E5791C38AED4A3874B28770C1E1089635463279FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:07.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE721BB10CA177436D1DAB4B83CDA28,SHA256=30927380EDF3AA39B376E2801DAB88AC27317E01646635935221CCC8D902528A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:08.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1466E73A310AE6323A9D0CD6B89170CE,SHA256=EE1A6A1CD09B15F390E1DD7ACADD740A7DEE1C5614300B5B962750BBE41CB409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:08.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC75863C7A8D0663895E51444E6389BF,SHA256=9E5370976D803757D4FA428E047A65CCA17655571049F4A3D43144093DA92465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:08.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8F167E002C55DA2752110B2BDB46AD,SHA256=DF554DF448477822E5B43B1D7B052058AFF5A6CCC384D6DD07A0091451C19FCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.603{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49824-false10.0.1.12-8000- 23542300x8000000000000000649145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95218AEF9C1C25A4366549BA402B3355,SHA256=9E1481EF6C45B33B43B68DDEFCE29E0F481B745E8A7CD261132245AD6CC60BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61D6F2A84A14C1BEF5361B2992D4E1B,SHA256=2736266A363A64ECCAA33ADA147D4B068222F6EA057E6B6C031EEA3AD96E1443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D52D9332D50FBAB75B1C7410F8FCA4F,SHA256=9C6C31A3C1117E8E7CB3A008E716D3544072B9869715EDA82D319B850F1151A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:09.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBEE0AA678F3968E876A54533804384,SHA256=48412067DBDB59C766375E0BE405DFE90E97EE434BE2996B5B1DD37885DC74FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A47082A928CD904F23EA6A980B327D,SHA256=685AC4AB732372E2BD5C935D27A6F617C88FE07D58A48708D97DF5BA30F158B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1DE7EF866ED205EC67870F4EA8DF68,SHA256=0C99A6BA635F061BACE35245053218D381BB48A4BF3A90FFE7794FF4B1F79F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2B7BEA772FD00868569A12BAAA343A,SHA256=5141FB9DF661EFE6B3A4547915EC30A4EB3E999D24D4C543BA0FF155AF437C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559A7C5A2BFDA3B6170CAB13727F0398,SHA256=6BABC02CF39BF5BC563FCC3236D793A1C7D2538D5E9EEB6BF86C0D8369CF856D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF49247A0B35C9AA255D637BD818965,SHA256=2827F0508C41D6C05356A4BAE65B1F1189D75D9CF05530769F81BE95E8AB4DBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:08.045{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.214{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB9AC450E8FC4B175C58933C3B1CEC0,SHA256=621CE79DE2EEAF566AE386743EA07379247F72388811F178456E972CBA6E623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.214{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46597AF6E5B2E480C3C6C6C485CC37BE,SHA256=7E67E77D6E622812A1C91F3DE9CEC9BD58EB9826E64A7538031EC2E4F8F2367A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF575C0B2FC0C49326DAABE5DD34B34,SHA256=17F6A420EA69FC4C4B58D75AFD74622F54CD3CEC2A56598731F97FD99F36577C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.940{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584C9C1DCBBB5F4A086BD0C4F6C2DE43,SHA256=B2D9BB8E32851A6269B50AE7D5E46C6082BC55C89D7D69233C0CDA9420774AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ECE63E91769AD94D767939CCB2F0EEA,SHA256=44CF8656D4C9911A7FD2730E59A4163C687B02ADF284FEA3F844C1EA4EA619D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.190{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99B07AFF1A8A5BDC2ABD851203BFDBD,SHA256=5F6E00D39F6EBE330E9D910E7DD9A577FE7AC759E88918471432AA52B20C5603,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:12.987{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_groups.json2021-06-03 13:52:12.987 10341000x8000000000000000649188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.627{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.534{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.534{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.471{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.471{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:52:12.440{D419E45B-DE8C-60B8-6C4E-00000000C401}4284\PSHost.132672019321729269.4284.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=236CA8DCC70B9150F4B054B832AAE345,SHA256=8C613B402EE11D0A32B5D9E23E3E326E1EEB8910EACF20E7D5D12AED60A435CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.409{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3tkycblr.qn1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.377{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ixhsvqdq.zsm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.299{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ixhsvqdq.zsm.ps12021-06-03 13:52:12.299 10341000x8000000000000000649170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.205{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C856C77A8CE198ACDE5B6CE30667D8F6,SHA256=6F6D3DF5882C1E3C17FA1701DDDA81E2FC9A18F376111261491A2BAD61ECEB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:12.870{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AEE4540935CBBFED1C48B98015E51F,SHA256=11C526572E8D2BAE0E11688DF6C174B962F31537D6D3E9E535596137A1DD669D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.174{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-DE8C-60B8-6B4E-00000000C401}54682212C:\Windows\system32\cmd.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.172{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.153{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x8000000000000000649222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.260{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49826-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.260{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49826-false10.0.1.14win-dc-233.attackrange.local389ldap 10341000x8000000000000000649220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.619{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49825-false10.0.1.12-8000- 23542300x8000000000000000649213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D13C24BE5A5CE22B8D20AA5C7BD9D69,SHA256=41492C333825950178D213AC48FD251F5A7C385463341E8677B10A1B27B3C740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76E8D671C2E914F03364058D9085E0F6,SHA256=C2CFD5229B3236F8E6EF0C0EE9DEB6E6B5BB57183C788835353DAF220629448C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=0D30DFB54488D59E2B5B93E04E43134C,SHA256=C0A9ADC14C4C1D34A5502CA9D21C4DE4CF6366C1BD92D0B295E66AECEB068969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_users.jsonMD5=8F412C3CDDB823A176BAF09F25E803A1,SHA256=BA67CD5BF43E1155F10328612FC19FE79FE351922AAB0B70604477DF78E1A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_groups.jsonMD5=454D4C3A03B3CEE9ED18B2363743C7D7,SHA256=78B9EE14E56513A90D7A86F8193A98C79C9D86B7ED8CAE35FD5801DD6D80ABDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_BloodHound.zip2021-06-03 13:52:13.127 10341000x8000000000000000649202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x8000000000000000649199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.080{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_computers.json2021-06-03 13:52:13.080 10341000x8000000000000000649198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.049{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_users.json2021-06-03 13:52:13.049 10341000x8000000000000000649195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_domains.json2021-06-03 13:52:13.034 11241100x8000000000000000649192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_ous.json2021-06-03 13:52:13.034 11241100x8000000000000000649191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_gpos.json2021-06-03 13:52:13.018 10341000x8000000000000000649190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.002{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000595289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB9AC450E8FC4B175C58933C3B1CEC0,SHA256=621CE79DE2EEAF566AE386743EA07379247F72388811F178456E972CBA6E623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.902{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D52271E6CB345E4F87478CC482FE40,SHA256=1D9DF9E4E6E0E5CFCAA7FF686BE30F13A0DE0872D3CC478E3DFC7B750C6326E9,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.182{D419E45B-A18D-60B6-EF0A-00000000C401}3200WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000649252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.622{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49843-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.621{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49842-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.620{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49841-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.588{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-