23542300x8000000000000000595059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:58.709{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EF5D356E100FB9B3176FC492A5812D,SHA256=67C05B2F1D1B112FAF866BE69488A601DBCCE1F9DE037D940CEA5801757C2B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:58.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985BBBD9883FB27987D124BA817E3804,SHA256=12E0F819164FF15A068BE1E19B19562DD50BB224ED27176DEEE978294F667EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:58.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CC16319793AE9F84AE64EA5D56C30C,SHA256=A530D695BFA6E71C53C6E6DE3F3E8B13E7D9FBCFDE16C4AC8F130CF4A8138269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:59.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF78E7ED2E2F0E6E77B8E0C0ED8D7A82,SHA256=E23C6A61A62398CB437DE6FA67BFDF4B4B987E4C0DE960FE4FACCEB2831A10CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:59.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D76A77044B8C5271B0DCBADECD28137,SHA256=DDC94081719F1240A46BD1EB8241F311138F0B17B16E249497F39BC3FCF07B6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:56.040{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000648771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:59.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F50789B323F6E9C50B9EFA9C3E9BE4,SHA256=E16B4D4C1C0037FFC00F0DFF3531330931FC29CCE4EE626CB2E0BC565F72689C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:00.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714B0E66D12D0CD894096BA21C6DA2F6,SHA256=0709F52D5AF233B0CC5326ED9A56DD8981B934982FEBC57F8CB220F22C004BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41026417E2E001A2344C3E4871DB40FF,SHA256=DC39CF12890CE20DA7193ADE8CF2B40AB9F2C25F3D65DA8F8E889C86E6B167DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:56.837{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000648775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:55.647{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49795-false10.0.1.12-8000- 23542300x8000000000000000648774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBCDD570C42203144ECCDB21DB576E98,SHA256=AD5556240091B54A8526856720CA9BB7F5EA69AED2552CBE790DDAC2D0ED020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.201{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.607{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD8D7B53F657863E176ED1C47361B30F,SHA256=E85B22F7D0BA4729F643F6F2AEDDC380AD00A0A1A9E4E8EF3D729F827828D4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.451{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A9CEB4DEDDB3AEA4C1BA6060F2035B,SHA256=AFE9AC7CAEC1419A0D7DF020B31929597FC9B8C607F7E6594374BC2BBD1CC5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.881{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D5248E43CD0665C041233A21B885045E,SHA256=03320D18AEDAD15A8690D40E0886C922B9E18C951EE709A02D626E7F452AA38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.772{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4F2A49B5E9AE4B3AC9C48931AB19C8,SHA256=6DF70C7450707CCDBA39CDF93C45BBD24000B6F0AB3FE8BDC1CA905639B54049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:02.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4B04E9DD59BC339C76B612D7A914B0,SHA256=796F3A7D2837C04A7168D3FDDC8EA7CFD8C322EDB2F3FB4EC2B8CFFBA017D535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:02.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB663A4AECD942E23885880C4CBD49AB,SHA256=AB096FF29F068320AD791489C264E9170EF738DA8B5B4B9C5ECB8E22AEF2C0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:02.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7028BAB2159182D04AAF3CBA4F7AB752,SHA256=165B0E27F93F6DE889A15DDB24492E0BE899A4B08BA61B883EAE0DAC48867AEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:57.709{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49796-false10.0.1.12-8089- 23542300x8000000000000000595067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:03.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD22AD3C322D1E72876C0A4AFBE347EB,SHA256=9FCAD0E10FC3E7AF6C96194A0C7AA4FD2262A0BDBCE513F20AEA487C017F57CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:03.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9F728AEE9DD8CBEC87B1DE0582C6F3,SHA256=9F5462FEB334DFD25A5F18D7BBD566C9982403F7880386349E9457676A320177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:03.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717DAD3A67ED79F8A8A952AF7E67891B,SHA256=95DAB9FA88FDB530448F78F0AC9F57A0A50E679A691AEC8BD93AC2F079436E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.866{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E896609C3C343E5DB8AB99A32DE718,SHA256=696D7769B4060BFD1B7959B6FCD5CA20E0358B4C9714B87EDC079CB94D577B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:04.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EB5583421F6E267EF31C54E2D29802,SHA256=80326389086B86BBCC2DAA265B83A0CF536BBE6E1859EAE0A3B2B506298F6900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.084{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999BE1AA2581BEA1EA955870D17D2476,SHA256=8F38D5FDFE414B5874BCF0E544116E897C62A37A515009BB75C51D9723D1F6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.084{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9991BCAA9C0CD92C4E47AF4D825FEF8,SHA256=52B79D4215F988BA9714ABE11FB5E291FC95A77EEC174E5C96D93154F1B9BBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:05.928{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB15ABB4031621D27928D8A7BD735017,SHA256=050F4E052B549CE5F6BC394774883C01C75BC1AF5E2CD7F0632DEB651F1106D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000648788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.522{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49797-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000648787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.522{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49797-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000648786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DD1E5774EFBF5F638DDED8CA7470F8,SHA256=344C8DF33DC406E8A0A53F9E5C121F09A04F7B60E0DAE766E35D197E6B126559,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000648785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:04.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10067232A13DF9DFAFEB8A256966EE4,SHA256=DBF67A3A90DC9C7F9B5A552EF1AEBA325283B01AF56864F449CC8DAE48387042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:06.944{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356FDB9CDE919E4543E0B712C3BBE1EF,SHA256=3BF31B124C46963B90B2981C1FFADE4ACCAF2273FDEEB7051C602DD0987151C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0E03-00000000C401}5960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0E03-00000000C401}5960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000648797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.616{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49798-false10.0.1.12-8000- 23542300x8000000000000000648796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1B092C496D38AB31843BF893450C33,SHA256=DD8D8145855491462F38E8725D29D6DD59DCDBE5768A5D3A29934A0A3371421B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.139{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8344DA0F03700225DE5F19EA2CD1E207,SHA256=FA92527EC45E3726F41F41ED0C1BF437416CE1BC029CAA13EE1AE37E520123A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:07.959{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267D4CF6BC11C159E85465ED849FB894,SHA256=6AFAE82900A1B0019FC08652B0DE5E5641BCDE01A24F388AD8B0E67FDD1F27FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A68058A2C9C70356ECB810AA8A55B4E,SHA256=C06EC709988418C8725D0294442FEFF417C401133EE40495C5FD420068D14F76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000648804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9140D54A6F4592CE08D30B83B95F7A6C,SHA256=EFC6B1D22B6DCFD28ADC7113EB324912B328DC58B275EDA1923DAD4F6056458F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:08.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D578BC9F0938A963302AB182B3ED181,SHA256=FF07A9BB44AF30C1577FB52AF6D61269BD036FE6A569A844E4C6DD735579F54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:08.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F12D2E6D6E9E07DB6FA22C377ACD38,SHA256=85631B00402F4CA18B665FC3DDFCB628BA5C801FED84F39D6CEFEAF62E183BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:08.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444E7D32F1D817221271C97A17AAF129,SHA256=A01F931E563DDBC87510F277726713ED84D27D652E53F7ACFDA3798536FA25E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:09.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A84DB7A692D7F484D271748F7B90DFC,SHA256=F58B76D086CFF71E930F4DE69674E1FF5C81DCDDBA13E3604D620F334B961D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:09.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99B983DE935E41377B72CAC3F48B2C2,SHA256=84E61480B4050B59C80BFB727BBF4E5B75D174CB0ADA5F1DB7A9D9068A5C4F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:10.779{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45556A14A12BC2F67960B544C2562292,SHA256=960CBC1F62791B7BF607E6AA57403E593969C6BE5D272AAF01F923CA107CBDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D2494EECC23C882F8DA1DED82A23AB,SHA256=5B8AF5B0D4632ACAACFDABB5948F34BEE73BADC95650F390D453FFAC1F81E395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:09.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E94B56AA682FFA269872540E8365534C,SHA256=27DAD1BF18CEAFE9D2C1601616C4145D9EB71374FA9EE4E1E4984DC904490D5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000595080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:10.928{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7587f-0x82cd14df) 354300x8000000000000000595079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:07.931{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1E6535B5C5D81A16A87014B84856AB,SHA256=57AD61D5F46EF5A281B659A72C5DD71DF6852C5BE0B883359BF26E894F9C7EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999BE1AA2581BEA1EA955870D17D2476,SHA256=8F38D5FDFE414B5874BCF0E544116E897C62A37A515009BB75C51D9723D1F6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:11.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B67B6EAF49A650EC9F6950F668FDDE,SHA256=DDDC8676910E8FBCFB11CDAF52D56F5EF0AA8B94B88583AE76CF86224A6C70B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.647{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49799-false10.0.1.12-8000- 23542300x8000000000000000648817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:11.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=806FE827AA1D97B969A029384AC65E57,SHA256=21842576ED0C266D1F4803393EED9A4A4018C4F689605678DE03669D696FA868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:12.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD392496489D15390A92CD2AD573284,SHA256=7EA029A50036A2D42AD1EB2328618DA7BFAF8FAD0D7A71AB72F4561395DB5075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:12.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A1CE1D068A3677B36C1A71BF4B3ED2,SHA256=11DF8F535ED2A9F3288A1E1C9B35D3FC4F5FBAAC49297461DB13F6E98CD21FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:12.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8947ACAD4F1D7CB9C50CAAF0B1E2FEA8,SHA256=4060E89A6CF412BAC44C62B8BAE4B1DD22D06A90114ED45240994A60DB1446F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C40B366183CC4BAC5F8198375CC6FC6,SHA256=B5FB740B40B62A3D29F95265C709E7C596D3780E4408A520A8281606D3DB67E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:13.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188D35DB6845105DFFC8AE2DBD3DA4D2,SHA256=BC71480D5580D1144F870DE5DD8C66B3681581BB3B0C97E0B0DEB9851E5330B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.812{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E2A102BA874C87B9C0E7BA0270867E,SHA256=F0E7DBC6BF46A712BD5AB97753D66C3C88D99DA739FFAE3370DCAFFF549A360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:14.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5D52AAEC446F8C264ABC1C375A3372,SHA256=47E7291F753B1A4EECC7DFCCD2F6A7FD5EFF8971D574F8197AEBC0E540BF6B12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.670{D419E45B-DE52-60B8-604E-00000000C401}35846860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.499{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB3D2A1DA0B0E23D12759104BC4F7BB,SHA256=CE1E4DB3D6C424D7AC4CDB2D237C3D80401E1A4C8C1B65D1E1178CA1D9CA420F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:12.993{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F112CE5F47605F44CFB643AE600FB961,SHA256=177C1C9188320A219F5675E499DFDE15E9E22614BD475737D198C2D6D42B56E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1E6535B5C5D81A16A87014B84856AB,SHA256=57AD61D5F46EF5A281B659A72C5DD71DF6852C5BE0B883359BF26E894F9C7EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.116{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2C7BA0E9FB5548C8F75C0D7EB87CEB,SHA256=B52143B15A683343CB00398917032F481D73BA6B3E9BA39D9ECCB93D232BA664,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.873{D419E45B-DE53-60B8-624E-00000000C401}19206916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.717{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.717{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.704{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D98E3F36B87E575B4772BD820AC0F125,SHA256=395383B1A1E0A3B7E95EABBEF2C1098E2605E51DC71A085EF30282E78B1F2284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.295{D419E45B-DE53-60B8-614E-00000000C401}50366780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.078{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AC064DAFC06556DD269DCC48116486,SHA256=2B439BF6D0AFB5348305E81976F80CA36016176F6D1DC38E754AB8AF346DE191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:16.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAC96958EAA1093C4C35B9E7F5222E6,SHA256=E1A2839BF9BD116505CE3880E67B09BBB238B12EC9E1B2504974E2FDECD60D7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.600{D419E45B-DE54-60B8-634E-00000000C401}46881076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.412{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.398{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.014{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58EEFF381C13B47850EE69F233450D6,SHA256=851B9C9140C04A7C9A18B75429325C7012CA87251915A55936469DB5724791C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:17.139{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C450F5769AD062A5B2F1CA77B23A43D8,SHA256=A5D798FFE9B8FD8C567DA293F7A002FD83AFD5A67ABCFA9B268590A607B97E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49800-false10.0.1.12-8000- 10341000x8000000000000000648889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.741{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.194{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2969B68F9E1F06FC1D3DEC183D57AF,SHA256=DCB6F8EA7846E22CE982F16119D8EA8522A49C06C0243D5D3A21B653AF75D062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.194{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD30B9BB96FE4D2FC3F269AA23FD9EE,SHA256=FCFBF72426E75D432984666DE05BD9EC782DBA6D611127D006242DE2A75F2E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.084{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.069{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:18.155{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FCA5344EBEEC4C6691B40B25EA7174,SHA256=121E13CC97B0B0A69C60881AE35E0CBBD0048D5780854AFB2840DAD52658D56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.350{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309F836D90779D9BC32A7492625AC94,SHA256=CDB18316A284856F380F39C350CB12E35AC8A0929971D0CAC691906EB519EC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.334{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7460CE2370187C60D1D4E28D6A362844,SHA256=B4A47A335E30266FDBC66C8EE043F852277EB09CE150FB9EE405E072811DA93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:19.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB71019F91E73E0FF814E9C18AA7F71,SHA256=8D0CD25D146388B2ACFF90F0EDB7FA28F0CB235E92F6D604C8525F265F93EE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:19.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C60B854B7648D289C0FF73BDA48D29,SHA256=79F9D3E90BA96D0C6952577A9B8F5347B418B140C3639344F9A07CADFF8956CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:19.170{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157B495E3BDD32CCBF809DEB785BE3DF,SHA256=DAF123A1AA756F62CF1438B0166D0409078C55CC53706D695F200EBD70D0A76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:20.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7FE44B379F7AB6DA3276BD202441DB,SHA256=2D42AA68B5E2864B7C23BFE3A5FBD443CA216FBF03D4A56519455F1BF7A84D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:20.381{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21715F309A36096CF626E328F3401F7F,SHA256=B4434DCF1C385E773593768A71BDD17810B5E2C338CAC2424924508EB5E40E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:20.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27518F35EE733D4A2A0E6494595BA21B,SHA256=84E6D3D37296D6442D6A8734DBD0F3A8DC845794FADFD2B3771F61F3EED6E74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:21.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DD82C6C436C7D115F00225C71DB2A7,SHA256=027A6D9D4680478DBD14CB70620CDF80727AE526F35DC529A6B36FC307BC0CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:21.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055316202FF7D7F780136C30C22B2AA3,SHA256=E14C0C9575216A8248CDD1BE3221EAD842E64C5B6AB3D451DDE849AEF5270F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:18.908{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F39025D1F0BCEB1653929BC42A0B842,SHA256=5DC506F7549F34C21886F8D4FDA20F5310DEBE81853CE3BE174EA5B17A5CE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F112CE5F47605F44CFB643AE600FB961,SHA256=177C1C9188320A219F5675E499DFDE15E9E22614BD475737D198C2D6D42B56E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7610D2BA47557E983A9AD752E305F1,SHA256=E7CA19201A7B00616FBDA88D5A0BE220D2BF46F40FB3D23BB7CF4B21690D58BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:22.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C392ECB669DBD213E02D690F6BA8373E,SHA256=FCFAE1286FF4EDCFE5D044C6B3C92EBD6A7EB318BBEA5BA9743044BE9A6D85A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:22.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8BE34E58F53F7B308560849F3D9607,SHA256=0605FC47049FE9ECEBD08D74BDA7B7FFCA7DAB151E62BFB503D7F9026CCFA713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:22.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2A4AE8952DF04591DC1A3D7F931DD2,SHA256=B8C9F64EBCB7A223037A71D8FB10E8FB6B76CE640334ADEED38C05930B0FAEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:23.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8803EB028F90B5C367DA254443A6A4,SHA256=6BDBE1E58305C3DB8D5DC9796FC55B70A2D1A2296B6C9DFFF4DF9F7C7C34A8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:23.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB15866F84729F17E9359B86B6A10B3C,SHA256=622E9615ED16C1CF90739D3E5D8625822F0D065429DB687F290080FBADD7D5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:23.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5FABB36A46A73B7E8BBBEFD191E7F5,SHA256=189C52C8FC8F810E55A540F06DC35791ECF469809D801AF50A54FBA67D9771EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.733{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49801-false10.0.1.12-8000- 23542300x8000000000000000648904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:24.490{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E8208729F87724D8AADE9856B8BC4C,SHA256=B643330681BE22D721112B53F6189742CDC49715110E50140AC2944A32D49C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:24.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE36B185F4863391F2DC60997FEB4C1,SHA256=96C7D99D987DDBFA5CD1FE89E39BEF66773C39F49B14B7031F11453942D5B426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:25.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10FDF10BDD7B220F16B4C75DEE1F7F6,SHA256=2EC775A3952F520A13571B87C5F1D2F0003DE050F5A27DBAFB8F2BB447F8AE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:25.280{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0B0A7A1969CAFA82C9C6EADA1E06B1,SHA256=CCBE147D3CB5BC7A71A71D54365F4F6F2E070C952DD4E642A36BC195688F9976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:25.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B7180769E423EF58FC64B7BC016794,SHA256=1E3EFDB8541179ADCE704B4F545D374FA60F8B8FCEA1A23327C0D770CAD4497D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:26.709{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6937CBCCF382FE2F4206191179442A56,SHA256=304AD5F9F2E92F971BCB88F00C370E63A093D98A6A4D584EC19EC19146A7B113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:26.522{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9636BCC792E09E86984DF27AB3842250,SHA256=248CA1C76EE481A8DA31D8BFE9209629233C680477A4EEE64241FF2DB1F18C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.280{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785F343EA9F874030691A25FE6B13575,SHA256=59449590FCA71758BC8240E93F70BC72D61E7CFEEECD5B520CC56B51C8439828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D920DF74F38FF595E4524E0E0D3522,SHA256=85434622A7ECF4332B8C4F41192B8976058D16ABD803AD0617C8DDC22D7CC965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F39025D1F0BCEB1653929BC42A0B842,SHA256=5DC506F7549F34C21886F8D4FDA20F5310DEBE81853CE3BE174EA5B17A5CE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:27.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE27964F81A7526EDF1A2B635CF96770,SHA256=A7E8532937189882E545FAE66CC193BBE25F55B341E544AF04355BE7BDAA4309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:27.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96D5D543494CBFD9709DAF705FE63E7,SHA256=B4FEAA2C8182507207ABC6AE43224EC7E104C8776A4FF982842562BADAEDEDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:24.064{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.295{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FDB38C09790A06399E08932F7AB71D,SHA256=C03983AE0B759CB27BCF84A2B826A6385A8A9294DC2260829B62879F25A712EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:28.584{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620CADA9F40C9A15C449FAD9EB3495B4,SHA256=677AADA612DF19EC5D9F4C40F3EBE96E2FFECD269E78DF8B3D5CCD5FFB0294E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000595127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.780{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000595126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.764{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.764{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-DE60-60B8-4058-00000000C501}37281084C:\Windows\system32\conhost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9D3E-60B6-7A08-00000000C501}33644988C:\Windows\system32\ServerManager.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000595109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.728{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000595108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.686{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=EBBFDE2738D1C9E9FED762F1CBF83657,SHA256=CB04DE3BF92BF291A75B4632BFC234BE80439240408911D6113120DD2FFA7BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55E5865A323D6AA1B444EA22F0CF1CF,SHA256=FEF54DDD0EE4935C13E868BE5C1A5497015D31233D7686D47C08C3A824ACBFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9C6CE768F304DED70FEF16AA5E6AB5,SHA256=1B349A07AB28FCBA2F8A35842749AE5403CE12E15ED8B495C9C02D717166625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.850{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F36AF52899F9DF8FF2ADA69C3B5696CC,SHA256=451C7C9EE7E9420D0E721F34C5E57C2DFF463D5E85A4CA13ED4E8E509D26BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.850{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=877F793506A34AA7BFCA4F3314899146,SHA256=2E379D8F458F18B21D0B5723B6FBA945808D34FF3F614FAE5F2085797B333F6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.725{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D920DF74F38FF595E4524E0E0D3522,SHA256=85434622A7ECF4332B8C4F41192B8976058D16ABD803AD0617C8DDC22D7CC965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A29B13ECB3C951CC83574DFD571852,SHA256=F66BE9597F9CC8A666C4FB688E48124A61A1CAD08B4F59A4A72B667D6F004942,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:24.623{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49803-false10.0.1.12-8000- 23542300x8000000000000000648912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.022{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EE1A2A8E5489D0A1B34CE5F49189076,SHA256=A1800137E90ACDD3E45477FFB2F1BA4EBC113547EC24EA810050289BA2A5D3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:30.631{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A039134736EAE3B22831B104C2124F6D,SHA256=C0D03308A98E981604BB0C10BCE4A479A5B683327FB2E43149BFF15587BF17CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.612{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49748-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000595142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.612{97C2ED32-DE60-60B8-3F58-00000000C501}1092<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49748-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000595141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:30.350{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E835722A8C9D886EAD637F2DE2B1A359,SHA256=07158CB401C40FFFC0C95D3A9F1C31A0B0F1452F289C1C5D1BEB90CB53B26196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:30.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D70BF2655F31596A0619510155563536,SHA256=9F18C7E0B37E72E099364FF25B6957F3B1ECD83A0CA2A273523F919E9794BEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.694{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7378A01D1612DD298663FD52A2D9A82F,SHA256=9C99C5E16C2A78CC33F807095963DBDCC401437B416F189D86A2ACBB0A516284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:31.378{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F560AA6479C1892651B802AC3DEFD2C,SHA256=8C923E69B9722AE196AB16D1E1DFA931DAC3335BEC9E03D52DFC869565C7DC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.506{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A36049CBA90C4152B0E9FD88E633FFFC,SHA256=2E6DF80AC96A5E8F0F2E0FA839DE3BC4515FAF033B3677A70E651D0EDB179152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.365{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68AE10BA37C2CA080837A4CC1EFC8D5A,SHA256=8E9830AF24609A7E28EF81D7F2FF7F9CC81C281BDB7E525D98420166F461715E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:32.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AA56D346CD659464F242C7C948C3B3,SHA256=404F95B0EE76B6F7576053113B40218CD072EF7FAA092F6E92A1DCDC559D6973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:32.380{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCF9FA16A92EE6EE79C1B3769A180E9,SHA256=1D7A12B333CD7EECC81C4D1D4048F1B926B9C21D41B35F6A89B512970AE81CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:32.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EE3028A6D43E5CE1EFE697B38C5505,SHA256=9C76C48E0D1BD78FA468017881B5EB01E8A6E865A7FD0EE0D6A3CC936DC4B435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:32.146{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA891BD3A3F750257B3A39AA5B87661C,SHA256=E88053856A92D2B068CBD3B02E03E48D7000596CDB1AFF05271253C2E8398E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:33.724{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668DBCC2CF1ADFE3574FC695ED74179D,SHA256=691C467231178BF64E531E62CF3092ECF426F243283F75ECA09C82A512D6BC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.943{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:33.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A7909A50DE77A75FF53D14111072BB,SHA256=05C347DC5565DD86EEA851F2AA5920142F3985693E23336FEB7D9A6E65FBA72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:33.492{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78C48561265B15B86F5120F1B828525C,SHA256=4B6903A91EDD958CD66568AC8E31AB72C6B58661AA49409AFAAEDBD5CDD588CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.654{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49804-false10.0.1.12-8000- 23542300x8000000000000000648926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.961{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1C9D3ADFC0427C52E9BAA8AA28115AA,SHA256=F81F0EF2B603D68E8582752E2CA0E4FA09AFCCE5DCA80CAF7FE8FF80D99E4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0338A60B9127A4E5811922B0982ED64E,SHA256=C948A02772BBF6E97F6B829A36560BA82EEEEEBDADF389440916BABA9A32F42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:34.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3373C33D25516873AFBC4384A55E454,SHA256=22E44C6B3CFA7FCE4BEA68F5F72962E50DE0559CAAE357EB71C6F43D80C144B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:35.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55A912F3775A82CE03AC5FBC4955046,SHA256=D5C904DA97422D8A25C7A16A2675F8F1186C18F8FFD1709F407341DD1DFA5946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:35.411{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF08B6B831AC7753962AFCD1F2989B71,SHA256=016DDB1C2B4DC65CED0378875821497CAEFCBA68D7FA3FD565AE0D67710219E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:36.764{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE2C1B770BF49D05FC9E0765E0627EB,SHA256=AD34BD8E735CA010B0D43E37094CEE11897DCE6B3285CE08DE4BCEAE131E10F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:36.413{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA8945BF36481447A5F791F3A2CB4CE,SHA256=F548A043CA1DA59450A6E68186CC103FC63812DF422F99DC7FE483DDEC241086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:36.102{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07E5D7D6D2CA20521B4698A640B64F26,SHA256=D74AD96C6F38A1CA9A005FFEAE13E60D559567B099624B308049ACE834AC0812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:37.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64E731BCB14D8DDD4C1CA02C4EDF4CA,SHA256=2B1C0774A92C98957B46F4C6D54EAC84A7DBFB8E692245B96560C3EA5586DC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:37.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63483B147739955DDB7683232886752,SHA256=DDA7D12336BE5920C492B7B1940594037B30366552D908264803B23B3A045E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:37.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34FE5FEDBD86B28E5C6EF83CA4054768,SHA256=7BF0739441DE93FC4A9CD3ADEBC949920C4BC66B84AFCC5169FBC4FD0C1F8F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:38.889{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEB3338C00909128A16801896659114,SHA256=E4E881C425C251927565E2B98007120CFD0250764B1C65DF263F5D525BA37DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:35.884{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A43E60EB9E50E69982B9D835F6ED0C4,SHA256=1A9A801FFF5231DDBC23B627EBE15FBF8C11DD7791FFD8663895CF6F150F978A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:38.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=630ED712EF71948731149CC43F2025F6,SHA256=5451BA4CCC158481A4D4379B42FB5390411C5C9801CC8B71C20EE74EB0931965,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.740{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49805-false10.0.1.12-8000- 23542300x8000000000000000595154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D795D9A2EC7C14349B8602FCA5CE5B,SHA256=5A64880C801C03BF200C1A52D183242F3FC8564EEC2630527AFFFD85BEB9E4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D9720E6B37D298A8514AE7730684DB,SHA256=9CDD5317CF87918551AAE5D531C65004A5A46995F117E3F42FC10896E1D60CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.905{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667C76C22409732677BA38DEF0C6A694,SHA256=4D935956C19DCFBF3E530F1D66E9D7FE499CFF592974B6F7862D38E861235DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:39.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8F11B780DA00D666749D382E41D1E4,SHA256=3B49B9D5F55D7268483C3961679654CDAF7A771AAAB196CC75937B640E67CEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.733{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3268E526FEBD67E64D69A8B1D93CE4D4,SHA256=D46DF7F403DC7CD709AF59CEF783BCCBF90F31465013CDBB70F27C3A4792EE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:40.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66FCFF7ACDF3DF6F4347D5B8B6FA24B,SHA256=40158D995BBEBF4B34BC3BB1009DE91B75D50184D77343F7554D73F5849E7171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8020C665EEBC336120176AF5F9EAFB54,SHA256=16F92D47673F4F015F3530DA31F0B9143567BCAE11CDECA9AF651D069E18956B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E02F8DF6ABDB28D6B2FF4C5320BC254,SHA256=C5772F779749FFCD6384FFFDF8C5DF6892734438EBB67139F01E6E4C84B74D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:41.632{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDB5BCA62B7702EC6E6962096B92F6E,SHA256=7551DCF8637DB92C6F8F1F73F3829F457E8B5B056A134BFEBA137499355A9EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70540FA424E8C3698C3855030A674137,SHA256=3FD056E6D3CF83C85670C37ED541711D75D03E837A88A128794DFCCB6A71B610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE06D5AF2AA560F42D697D6A7CB6A473,SHA256=4D69C1DCCC4505700424F240F7631F677EB4BF436EAD221DD124521AE14E3A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:42.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924990F16816E658510F74F6E4367DDD,SHA256=1092A3AA4EB5FCA2C1D3FCFD40EE9B7C928CE4603F3CD9C7BEE2E393ACD1B196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.647{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9806B87C67D7791B0E28E80123CF96B5,SHA256=3F2A34ECD343BD9E80C55FCE7EB43360AC7FD147C66B8CE42976C3A3A3348277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:42.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2DD5C9F217C5EDE4E03E4C096FAB2DF,SHA256=921162201248718C127643F77ADAABC2384CED75B41EF23EA635801D48B9A4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:43.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B60FBE0D2CF7418EEFE98F8926889A,SHA256=F04203C5D91FBC5B358102A13D2D5831A88B2953D67E286ECEE067B3A911E239,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:41.073{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0480841E70241D44F00727BDD277F349,SHA256=D75A6A8ECFD3D416D7ED1B0F90EC3EA8998C9089871A832DDF05FDEACCACEAD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.740{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49806-false10.0.1.12-8000- 23542300x8000000000000000648943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:43.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE6975592BA9B899FCAD1B861206044,SHA256=7CF5C5B2691CB7CD6E02F860D8CEB0640F28D6536BCF80CC62F3C5A0B24A3580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.335{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-772D-60B6-0100-00000000C501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000595162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.257{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01083638B9A949EB5AAE481580CED864,SHA256=29F9E465DE56C62512D06E3BB10E7BA1A3F3548D010E20ADDF07B28205D53881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.257{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D795D9A2EC7C14349B8602FCA5CE5B,SHA256=5A64880C801C03BF200C1A52D183242F3FC8564EEC2630527AFFFD85BEB9E4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:44.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9368CC78C44642BB732E92EFA202977,SHA256=BC659B5E149295C52F843A4786AA830DA23D2E63D31B627E5912B70B8CEC8729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.169{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49752-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000595169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.168{97C2ED32-772F-60B6-1400-00000000C501}828C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-236.attackrange.local65172-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 354300x8000000000000000595168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.168{97C2ED32-772F-60B6-1400-00000000C501}828C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3039:5f36:2821:222a:9ae:ffff-65172-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x8000000000000000595167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:44.680{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09687E9A093EBF6A14AA6417E9A17C77,SHA256=88086AC1F6ECC84578B1D886C2C920D1B73F135D75CEE2B957F4DEB3A611ADEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.869{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49752-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000648947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.868{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65172- 23542300x8000000000000000648946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:44.295{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ADB328FA6BF164F8DB4D6137C976489,SHA256=6EEA329A0E861EEFFF91D080422652227B1628EF63C3E6BEC558F65F8D2B555A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:44.336{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01083638B9A949EB5AAE481580CED864,SHA256=29F9E465DE56C62512D06E3BB10E7BA1A3F3548D010E20ADDF07B28205D53881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.983{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5B4D9D70791861FDD8B8547023ACCC,SHA256=EE711E8393227B2D6C7DE99BC57D25686E5A3F8575DDDA6D29AC820E99395CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:45.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D34D3ADECFC270A2384C91A861CC8EC,SHA256=6B0B0252B78FB7EF0AA425B53A042A893206EF44B1F730BD2C6A0A0665CA00CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E86212D30096779F7933D2E63F47BCE1,SHA256=DECD91ABA6DD06C5242021FA5C92B25D7661F3E639CBD917511AD652BCD2361D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:46.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ECF3C2ABE2DFB98BF4A5A81B1BC846,SHA256=03F8378490BC7300F5246D5B7E8375F65B6BD34E50B3E7E9BEEC41B7C4EA269A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:46.811{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D499D25CF1E8E83A82D6B56FFC781BA8,SHA256=5901CEF6F1F865A2C5DAF94F69B028D420DA07634D0C4925289F13D5F755A07B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000595181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000595180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0963649d) 13241300x8000000000000000595179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x35c89f00) 13241300x8000000000000000595178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0x978d0700) 13241300x8000000000000000595177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75887-0xf9516f00) 13241300x8000000000000000595176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000595175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0963649d) 13241300x8000000000000000595174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x35c89f00) 13241300x8000000000000000595173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0x978d0700) 13241300x8000000000000000595172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75887-0xf9516f00) 23542300x8000000000000000595183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:47.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9473CDA787CFDEDFCF911DE639587051,SHA256=B79B94DE170A5CCAB50E0D4B39226CB9C3641153D52C6CC625503A24EE2C1D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:46.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED8097E9ED0C4DB99194A8589CB1AE8,SHA256=6EFC836AA7DCC47E4C573030A4E2970B67163EE1B511898259E3964A0F46012F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:48.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96640354EA1B3D0A66D23590CB4F0ED9,SHA256=C670D5C66D3E448B6D55764C1DD8871E7E15B563ED4CDA4EFC6F517BBA08F392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:48.186{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA0697728E342BF859B6F28F1D9A42D2,SHA256=AC97EDFE5FD4C351FB95AE4ADED88BE84C63011FE06F5AA4A7CC20EBC09566C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:48.014{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3746DEBE9673141FDD37B702EBA62C2D,SHA256=15A445DB60F9D87B9B8E916A6CE8B1E0FF1ED1F838DFD6BB1EC2F33858BCB9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.852{97C2ED32-DE75-60B8-4158-00000000C501}7404180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.711{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7511F49AAC6166B956DEDB2EBCA58C0A,SHA256=C7775E2A01DF8A8AFC913592343B4EB964ED916368BE5DDE9D35EC27A2815A6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.772{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49807-false10.0.1.12-8000- 23542300x8000000000000000648957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:49.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D330A6350264933D0ABAA4712417CCA8,SHA256=9E84FEFFCE82036F5D19CE7DFDE7FC4493015D97AD7C6576C13ECECD18C818B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:49.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C489AF3BA65C9D0708A39DA497B79EE0,SHA256=4805E92A9669C11DAC1B00ADDEE517764F0DE9C8B933418AB0DDEFB5A0FA35BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ACD191BEB281153C343F54B08F0D670,SHA256=6FA76B52E74D34AC88C2DED7D4624484AD209ED0F68519D6F321172FFC4D1410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C15DA3B57E0817A30163E0CB2D612D,SHA256=34547E6D0B96B04B93A3CFB052FE73546FB188F9CA9E1DCD65C09CD128E360B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E460A25AC61C15E8F4EC5CA92CD8127,SHA256=379B2145D8518A685FC8222EA9B003F5B25E784B3FEC3D1E6348AD4B1CEE88D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:50.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=864D143996E98127F281BCC931C82540,SHA256=5B180D3A435557B1DFB2D66C9C25A4BE0371B257AEFEA68B7F3F6B3F95CA5E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:50.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1712A10B035B9514270F4423CE514CB7,SHA256=78F83BF28D096A090E578B66B76F9E2880D21DD7FA726A88CE0899EEBEE4A69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.524{97C2ED32-DE76-60B8-4258-00000000C501}44164296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-DE76-60B8-4258-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000595196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:46.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.743{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD720BFC091893704EE08E546EE7590,SHA256=5947D51D631B9FA7EF4CC1F9F2D20BAB46840B5F207F18470219B3FFE6BF5546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5EE0E71CDA32A94FD5CAF02798D42E0,SHA256=628DA347158AD913FC68D35145ED91D4BFB03B97F89505D0A572DC1C3746CA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07903F8A49AAD4984656373E924BBB4,SHA256=E39AB43BD4CB8D60102A3E1FD43948071DFE30100DDFABEA885BF7308C1F2DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.195{97C2ED32-DE77-60B8-4358-00000000C501}34761724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B8DE36F2457F913C5D47218EA1C779,SHA256=2346B910F74D9DE513117D846CE6A9C076634EE8ACFA46B85070313A2ABE43EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.415{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6133628B36EC94F8E357D6E2C6841EAF,SHA256=BFB46D82CE168DD13226DE9050AF6EA8AA1CBE0B6ECE055401C9B3B81A299994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:52.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBE7CBFB0F2CB506FA59FAFF022F494D,SHA256=E64E6F4E3365D1EFFCD012D7449CF71150DF270523B3108BAD1B2A84CBA08FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:52.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FECAC0196DC94C5258836EFD9166D7A,SHA256=D385F83FEDEB24F6D14182F7E3C3E74FF834D31861086E9756FE32023FAF5B1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.899{97C2ED32-DE79-60B8-4758-00000000C501}43205372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.759{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.742{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3632276AAB7D0674BFA4EC8F81B99A9D,SHA256=DCE45E9957446F24F87320996A526E462B2AB02B2EDE7A5E5E8BEFE25B5D33EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:53.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C14DADE14CECC0DBAC7723532EB7974,SHA256=6E4BFCAF549951D940154FEEAC930FCEE8E8BB119A0E16057681483FD3B819A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.446{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8CEEA3D848E6286FB4092E27BABD7C,SHA256=0EAD732E7EB1676A864FBF2766173CA1A454A6E33FCCF73F9A5A26A4BFEB11D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.087{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:54.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917CE648DF35028A0F038A96A791D4D6,SHA256=738ABADAD29C6D7AF5A1EE241A666B271958697256907C54E6E752B44E136AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:54.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B2B49EFEC173DD8DF00FF153A9CA3A5,SHA256=6F81C214563175D8A1778DD78092B20306891B22FAFD377FC3F4996DB247D692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:54.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B2EC2D3E4FF4CD1F96BED9661060A6,SHA256=50DD91B02213D7E6A59D8AFB58EEDB708B4AE26312AEC95D028D9955DB4540EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:54.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F5A1EAA440D885D15409F8E2114464,SHA256=4D59FC00017CDC1398C81665E32D51DB3C2445352CE03892D8C7703A0ECD45A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:55.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DCDBE7435928802E44F171E13761EA,SHA256=28865A95338C54A906968C9CB09DEC8ACC4544C7D1C2C6632EB7F44CD7A90441,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.995{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000648969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:55.420{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D543C440D3CEAA864D2F8D4847100D00,SHA256=CCED230F6EDDC9803301EE7F2FCA4E00990C483A35BBD1981D6870B58141D151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:55.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F300944A61BE44EB2E03BD2DFA41D61E,SHA256=1ADF4B4500DD79CF71F355AF7DDECAACCDCDEC03A8D27B8204990C55EA309D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:56.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8188D0B900F7D907AE62001C6280AF1C,SHA256=8B1F2E46E8ADAB0DFDBBB41B314262468EF20FED415C22F28C9936EFC2308312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.662{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49808-false10.0.1.12-8000- 23542300x8000000000000000648971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D340B7BF318E31FBB02E4E9B02A1D7,SHA256=A8C71EB92002C7AF02F20736331734DA13C4A3E89FEABFEE8B1DBDA1151FAA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8E7BF53F10E326C2B443226BC1F3FE,SHA256=56BA5A97202267F902E1BEC43604E6D91DCA4F9BD7244E143B8F875DC4E7735F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5E174471A92968B855CB35AE2AF272,SHA256=F9CF4C517930122934DDEEF62A6BBED1D6213229EFF8912CC966254AD08CEA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C4A82A821B64BCF6F86C3615A3E49F,SHA256=62B636F021DF7DA004D70EA42B10CF6EB590D2A155C25B020BF834E03DC5152F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.096{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B909C3D1E82B3821402B9C280961DD,SHA256=78E58F78CBEF50BFC33DD6683DEB407E6277422979BD3CD7878A074B4506B566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.245{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:58.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E541BBB6363361C3D8B2902056282CA3,SHA256=36D42E1D7A477048F7B4F4BDEEC7A9F170DEFAAEE4094A6AA435EDF70EE076A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000649005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.955{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000649004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.924{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.924{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=004D010A5247AC911E18435353BF97C0,SHA256=C0E6238F51660F10FDA76D18A0DE8394EFDE392A979428AFEC294EEB03C05A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.580{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.503{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.503{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.440{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.440{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000648996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:51:58.393{D419E45B-DE7E-60B8-674E-00000000C401}4812\PSHost.132672019182057544.4812.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000648995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.377{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gcdcmc5r.vri.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.377{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2bidgoer.ldg.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000648993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.299{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2bidgoer.ldg.ps12021-06-03 13:51:58.299 10341000x8000000000000000648992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.268{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-DE7E-60B8-664E-00000000C401}61004948C:\Windows\system32\cmd.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000648983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000648976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.167{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000648975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA77A7B3C7EFF8ADC1663FC0928FBEFD,SHA256=83C536755EBE2E7B75517AA459DE36F4DB8D1DCD4A1FF54070ABD3976BFD60D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:58.276{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AE19543D9B17C8A331F358B4028199,SHA256=A644B150CEF2B7CB0AE522DD0A072C52A42813D46E3B500BF03CCE7B9E80A2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:59.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E583088C7A552F76044B769F57FA936E,SHA256=B27F00F1CEBCBE21A79C91819C95DE54F765F611E3D127A0A338CE19CF8D7CD2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.176{D419E45B-A18D-60B6-EF0A-00000000C401}3200win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wx0nq5il.00zMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wfyuldho.ywuMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_hpzxallb.vi0MD5=5F619D07A23D16584AA58EEDB1DDCCDC,SHA256=9BBE6801B3B337A07A8B6DF0B52E2C4BB76EB23B35ACC78BA59041690A073EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_lc5xhmwd.rxyMD5=16B8F0400C23275FB5F7BFB175F7B491,SHA256=6980226153F7317145EDF65E684F2ED03B242E37D09FD059138BFB51A26F6401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_2wamxuo1.5rcMD5=15200722E11C8FB935E1EB3A62BD407C,SHA256=E06941E35D85F9C7A3CF19EBC4D157BAA9AAB7FEBF4592E678EC88E2B4803062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.612{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_mpgymmk0.vaqMD5=8078C8B8E62CCF450959319A920BDF72,SHA256=EB58B74E3B8EF39F459C613122399757C936A71B94221CE3B7DDBD2B179A5322,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.580{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_umiif3bs.kx42021-06-03 13:51:59.580 11241100x8000000000000000649022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.549{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wx0nq5il.00z2021-06-03 13:51:59.549 11241100x8000000000000000649021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.549{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wfyuldho.ywu2021-06-03 13:51:59.549 11241100x8000000000000000649020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_hpzxallb.vi02021-06-03 13:51:59.534 11241100x8000000000000000649019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_lc5xhmwd.rxy2021-06-03 13:51:59.534 11241100x8000000000000000649018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_2wamxuo1.5rc2021-06-03 13:51:59.534 10341000x8000000000000000649017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.502{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.502{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.471{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_mpgymmk0.vaq2021-06-03 13:51:59.471 23542300x8000000000000000649014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF92DF3A6B70C7DC6986B33C047E3713,SHA256=63469EA8C045E6B6AA12803691EBFEE7E8FF5263C459CBA2E23658FE4A146C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A56A952B1ADABEA10B182D8024E5F68,SHA256=56F792541E3D0D7589713688272F9C45C0B31E7FDAA68E82C87827812FF2E065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5E14646F204E0D7AB4ECA3B765F376,SHA256=2432FFA60E54FABBEA5AA786E6673AD4B140FCB8ADC59479FFF7E6BC41A68171,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:56.061{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:00.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83F1B5D6B009A7827E74935E726CD2D,SHA256=2EF79051DA68F9C1E7E2F4176B365F7B37E33A531F9667CD58D9C7C5C468A411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.037{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49820-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.037{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49820-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49819-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49818-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49819-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49818-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.815{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD02F39143D42F709753A7F742927172,SHA256=C512B8130083F5D1FF387013D81B68D1065BCE0689A29240612458B9020796A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49817-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49816-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49814-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49817-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49816-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49813-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49814-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49815-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49813-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49815-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49812-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49812-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49811-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49811-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.456{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A9DDF13D430A73B2F0B2FD3370A1197,SHA256=8586E2B8D2D86B26992B99251ADA234FC72F73A8679C4464764DA118498813DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000649038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E69109EE16D4812AA1BA3475A0614D5,SHA256=8336C4F38C45B7727D1BA4CA5000565B5A995A2B2650139ACC4B45EFDF9A7EC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.904{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:00.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B6D8F4146B9B2BE5A6EEE256E8DA2FA,SHA256=1CDE5DDD599B0E00B2F61081E315C7C8B76CBE29220CED91305A00E85478B572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.221{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.509{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49810-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.509{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49810-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.480{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49809-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.480{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49809-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000595270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:01.886{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5DEBFCED12D98C40A6E2C603F003C5F4,SHA256=1AE9B15314034DB941F0C19BD67334A76A50DC2AEA2562B86FFE34B319D11F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:01.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BC4B91CDD322F8327E8985CEEE2687,SHA256=15A28ADBEFA4FB03BE5DEFED748DDE6C623EE2F8A53975D978C75FE10C35DA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.729{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49822-false10.0.1.12-8089- 354300x8000000000000000649067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.604{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49821-false10.0.1.12-8000- 23542300x8000000000000000649066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCBDB04644FD3EE7BC981C1108351CD,SHA256=925349BD2EE0F0DE505BA8FC0A4DBF6C277B513B022F12D950437546311130E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.455{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C348FFA4973D8456189F6A9193B9343,SHA256=4CE801E12AA786BD2B2B25CCBDA8AA6149FE4F8CCE6F3DF619BD2433E3A6EF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:02.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A9AB9280CA8739F2A8E90B652DF5A4,SHA256=87E53DFE7131F49851F037CC3ACB5E4E3B4EDD38E05A37C92EA14B53E5CBB54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:02.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F469FFE7C59BF227DD663784523EC8F,SHA256=075885EF9614EA45D5F521A3590909E81C5F203EC0CFE6642D27349E01401F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:02.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D4ABC55B42FFC7DB1052CCDC211764,SHA256=9F2807F266471F65376F1143AF5A40D2D2A5FD93D5C7B29F7FA524CBDDD6C067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:03.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250CB454E25ADB3D2EF85AB166C8D89B,SHA256=144892C263B7C7AC7A0AE48CFE8ADB20AB8004A302ECF6B66D5418CCF03D11D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B8EAB45DD79BE4593C7C9639FA10A7E,SHA256=71DD7533978D4270CA79F8E1A36F8C0D8EBB08DCDCC6898E52A629E507A6CD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E555CB7168F83DC19BE02BFD7FF0BA5B,SHA256=90F8C47A2B600CB2F184794D5CB2BD751F6D5B75A80AED73FFB09B0C67E1AE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:04.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4670135D7C46279A0E025D6655B3DF0B,SHA256=758C08E5CB7D45528763089349CDCE76E2D64B389FC663502BCC41A058B73892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:04.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116DA717B4B8CF327917BBAC3E9FA313,SHA256=6053EC2563EA60A52E13216CE42B11A858D8548E87C91E5C71D4D71787FB3F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:04.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD3C33F6276E9658E291F65A86A59F6,SHA256=974171117EE27B2FA401F8295F97443088D2DF045798192C66AB88F6AC506517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA894E80770B408731A251770125D93D,SHA256=0372DBF5AE37DD40B45662BFB77687AA0D331F96E8EC1C3F92A4934B4E18D9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.424{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.346{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.346{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.285{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.285{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:52:05.252{D419E45B-DE85-60B8-6A4E-00000000C401}4888\PSHost.132672019251046846.4888.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.237{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5dqybcmf.bsa.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.221{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yca021bn.ddp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.190{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yca021bn.ddp.ps12021-06-03 13:52:05.190 10341000x8000000000000000649091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-DE85-60B8-694E-00000000C401}8602716C:\Windows\system32\cmd.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.104{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.080{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000595277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA63524F8068B40B171A08640D98572,SHA256=2A19E57554E011AD77C432357F08BD7E4C306868B3AB9D469DA96AE127738409,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:02.920{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46597AF6E5B2E480C3C6C6C485CC37BE,SHA256=7E67E77D6E622812A1C91F3DE9CEC9BD58EB9826E64A7538031EC2E4F8F2367A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE7520DFF186B82F560D2E9653066CF,SHA256=443415F838E4B3A06C68581081B645B6A298332633CAEA8FFEA4B2ADFF96F603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75C7221CA3E0AD9F185E3F6B7020007,SHA256=8E93C5AB719CC979D2AC167EB79759C728BEB906545A91DAAE7B842C19909AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E0A5B99CE0AEBE1B16364B28B11609DC,SHA256=4162CDBBA698FC8033705C626460C4E96AB1D869468C84FB2DACA9A5600AC8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD56CBDAECBF2270BF66A283BBDDEA6,SHA256=40D753C98FA17EB0F0AFB4F3866269F325F169829C7770DC96881B2E63595E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.542{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49823-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000649102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.542{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49823-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000595278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:06.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F004DD245C70B907FE12FB45E33DB8,SHA256=576B295FE1A18A8EE590BE6DE506A82CC1F30FB2D265EC5A6CE360743A0E22BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.377{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FDB00161E0B54F82C4965FC5EF24DF9,SHA256=552175DF7B9C63C7A3A9464901F8EE356457485571A569D6C3DBB2643C3F6A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A769943EA77DD115D7E53C407F2D0947,SHA256=D21A6927A245D6227183356E5791C38AED4A3874B28770C1E1089635463279FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:07.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE721BB10CA177436D1DAB4B83CDA28,SHA256=30927380EDF3AA39B376E2801DAB88AC27317E01646635935221CCC8D902528A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:08.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1466E73A310AE6323A9D0CD6B89170CE,SHA256=EE1A6A1CD09B15F390E1DD7ACADD740A7DEE1C5614300B5B962750BBE41CB409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:08.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC75863C7A8D0663895E51444E6389BF,SHA256=9E5370976D803757D4FA428E047A65CCA17655571049F4A3D43144093DA92465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:08.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8F167E002C55DA2752110B2BDB46AD,SHA256=DF554DF448477822E5B43B1D7B052058AFF5A6CCC384D6DD07A0091451C19FCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.603{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49824-false10.0.1.12-8000- 23542300x8000000000000000649145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95218AEF9C1C25A4366549BA402B3355,SHA256=9E1481EF6C45B33B43B68DDEFCE29E0F481B745E8A7CD261132245AD6CC60BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61D6F2A84A14C1BEF5361B2992D4E1B,SHA256=2736266A363A64ECCAA33ADA147D4B068222F6EA057E6B6C031EEA3AD96E1443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D52D9332D50FBAB75B1C7410F8FCA4F,SHA256=9C6C31A3C1117E8E7CB3A008E716D3544072B9869715EDA82D319B850F1151A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:09.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBEE0AA678F3968E876A54533804384,SHA256=48412067DBDB59C766375E0BE405DFE90E97EE434BE2996B5B1DD37885DC74FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A47082A928CD904F23EA6A980B327D,SHA256=685AC4AB732372E2BD5C935D27A6F617C88FE07D58A48708D97DF5BA30F158B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1DE7EF866ED205EC67870F4EA8DF68,SHA256=0C99A6BA635F061BACE35245053218D381BB48A4BF3A90FFE7794FF4B1F79F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2B7BEA772FD00868569A12BAAA343A,SHA256=5141FB9DF661EFE6B3A4547915EC30A4EB3E999D24D4C543BA0FF155AF437C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559A7C5A2BFDA3B6170CAB13727F0398,SHA256=6BABC02CF39BF5BC563FCC3236D793A1C7D2538D5E9EEB6BF86C0D8369CF856D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF49247A0B35C9AA255D637BD818965,SHA256=2827F0508C41D6C05356A4BAE65B1F1189D75D9CF05530769F81BE95E8AB4DBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:08.045{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.214{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB9AC450E8FC4B175C58933C3B1CEC0,SHA256=621CE79DE2EEAF566AE386743EA07379247F72388811F178456E972CBA6E623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.214{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46597AF6E5B2E480C3C6C6C485CC37BE,SHA256=7E67E77D6E622812A1C91F3DE9CEC9BD58EB9826E64A7538031EC2E4F8F2367A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF575C0B2FC0C49326DAABE5DD34B34,SHA256=17F6A420EA69FC4C4B58D75AFD74622F54CD3CEC2A56598731F97FD99F36577C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.940{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584C9C1DCBBB5F4A086BD0C4F6C2DE43,SHA256=B2D9BB8E32851A6269B50AE7D5E46C6082BC55C89D7D69233C0CDA9420774AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ECE63E91769AD94D767939CCB2F0EEA,SHA256=44CF8656D4C9911A7FD2730E59A4163C687B02ADF284FEA3F844C1EA4EA619D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.190{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99B07AFF1A8A5BDC2ABD851203BFDBD,SHA256=5F6E00D39F6EBE330E9D910E7DD9A577FE7AC759E88918471432AA52B20C5603,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:12.987{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_groups.json2021-06-03 13:52:12.987 10341000x8000000000000000649188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.627{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.534{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.534{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.471{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.471{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:52:12.440{D419E45B-DE8C-60B8-6C4E-00000000C401}4284\PSHost.132672019321729269.4284.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=236CA8DCC70B9150F4B054B832AAE345,SHA256=8C613B402EE11D0A32B5D9E23E3E326E1EEB8910EACF20E7D5D12AED60A435CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.409{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3tkycblr.qn1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.377{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ixhsvqdq.zsm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.299{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ixhsvqdq.zsm.ps12021-06-03 13:52:12.299 10341000x8000000000000000649170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.205{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C856C77A8CE198ACDE5B6CE30667D8F6,SHA256=6F6D3DF5882C1E3C17FA1701DDDA81E2FC9A18F376111261491A2BAD61ECEB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:12.870{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AEE4540935CBBFED1C48B98015E51F,SHA256=11C526572E8D2BAE0E11688DF6C174B962F31537D6D3E9E535596137A1DD669D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.174{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-DE8C-60B8-6B4E-00000000C401}54682212C:\Windows\system32\cmd.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.172{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.153{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x8000000000000000649222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.260{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49826-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.260{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49826-false10.0.1.14win-dc-233.attackrange.local389ldap 10341000x8000000000000000649220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.619{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49825-false10.0.1.12-8000- 23542300x8000000000000000649213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D13C24BE5A5CE22B8D20AA5C7BD9D69,SHA256=41492C333825950178D213AC48FD251F5A7C385463341E8677B10A1B27B3C740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76E8D671C2E914F03364058D9085E0F6,SHA256=C2CFD5229B3236F8E6EF0C0EE9DEB6E6B5BB57183C788835353DAF220629448C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=0D30DFB54488D59E2B5B93E04E43134C,SHA256=C0A9ADC14C4C1D34A5502CA9D21C4DE4CF6366C1BD92D0B295E66AECEB068969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_users.jsonMD5=8F412C3CDDB823A176BAF09F25E803A1,SHA256=BA67CD5BF43E1155F10328612FC19FE79FE351922AAB0B70604477DF78E1A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_groups.jsonMD5=454D4C3A03B3CEE9ED18B2363743C7D7,SHA256=78B9EE14E56513A90D7A86F8193A98C79C9D86B7ED8CAE35FD5801DD6D80ABDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_BloodHound.zip2021-06-03 13:52:13.127 10341000x8000000000000000649202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x8000000000000000649199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.080{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_computers.json2021-06-03 13:52:13.080 10341000x8000000000000000649198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.049{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_users.json2021-06-03 13:52:13.049 10341000x8000000000000000649195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_domains.json2021-06-03 13:52:13.034 11241100x8000000000000000649192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_ous.json2021-06-03 13:52:13.034 11241100x8000000000000000649191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_gpos.json2021-06-03 13:52:13.018 10341000x8000000000000000649190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.002{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000595289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB9AC450E8FC4B175C58933C3B1CEC0,SHA256=621CE79DE2EEAF566AE386743EA07379247F72388811F178456E972CBA6E623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.902{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D52271E6CB345E4F87478CC482FE40,SHA256=1D9DF9E4E6E0E5CFCAA7FF686BE30F13A0DE0872D3CC478E3DFC7B750C6326E9,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.182{D419E45B-A18D-60B6-EF0A-00000000C401}3200WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000649252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.622{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49843-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.621{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49842-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.620{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49841-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.588{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49840-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.588{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49840-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.585{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49839-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.585{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49839-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.534{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49838-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.486{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49837-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.480{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49836-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.480{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49836-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.457{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49835-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49835-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49834-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratorudptruefalse127.0.0.1-52604-false127.0.0.1-52604- 354300x8000000000000000649237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49833-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49834-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49833-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49832-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49831-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49830-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49832-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49831-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49829-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49830-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49829-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49828-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49828-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.452{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49827-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.450{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49827-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000595291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:14.902{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5B4109AEFDD3763D5980A3A5747AC8,SHA256=0AB174FE46E8C63D0232929281D7DC5FA52148EA5A3890FA41F454239A1E554E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.787{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49837-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 10341000x8000000000000000649266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.487{D419E45B-DE8F-60B8-6E4E-00000000C401}67443932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C887F975D767C88FA57D776442E4042D,SHA256=A8B657CF48A3D766F687244C6AF7788A3C2BB8F7EFD6D6478DFDD6F687D141B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.284{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD70757297D387A65138FF61A63DD5EA,SHA256=63387A1B00EAE247855B2ABF2770C04974FA5E132557BA496403D8477BE3206D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239AAD3A575F99FF407384902E499514,SHA256=0FC579261DFEEE8300B1227197B23F8555731F14AF1B171734102061EAA2299B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=626C9476A97E2BD592F193F6A3EDEA9F,SHA256=6AA260A45B87C6A5758B1FA736B8D033D459F94921513DD3FAAB4A816C57C0DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.268{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.254{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:15.933{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5C1DFF6CF7997FCB7D6BD8ACD0AE2A,SHA256=F613A6A880AEDAC60A5316C369FCA050FF6706654C8057CE0430CF3972AED0FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.061{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000595296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.923{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49843-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.922{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49842-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.921{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49841-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.835{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49838-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:15.261{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8922812F4BD280C5E060F72771C0BE17,SHA256=0299FA709ABAA05B5BE2974054332E464D1B4EEBB934B6BF36AA6D33CB609D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.934{D419E45B-DE90-60B8-704E-00000000C401}67285212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.778{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.763{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.403{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8294F3163CE90D56F842B47B41458DA5,SHA256=9C065433BF6AA4F4F30C00C1DF2127C1EDC223EF30620E141B41882CA1AB709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.284{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEEF7566AA0C824A8105C2F333CE774,SHA256=F9A15DC92873473E3F743BEA2D7738526FB89A8B687EEBA29DCE3415103C8FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.127{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=919FAC31DA1035C57173FF036BB245E9,SHA256=62C44A5AEDDDE98591F4BFE6D6672845628148CF31F40EF693DFB171DC84B844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BECE8AB4AD7811CE14B4D61D96B20D0,SHA256=7DBDF69DB0660D7CCF5171790F65F9CD89B5AE41374E6BF92DE8E7DB4B5D651E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.112{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.098{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:16.943{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B293469C112B64D70F700341B025C1,SHA256=BD1C5BBE2C52D4740121506585B2F45694085A317E164FB31EADDC7C6E6D4D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.606{D419E45B-DE91-60B8-714E-00000000C401}69606832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.559{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A81C5F70D5A8195824BAC8371E78FDB,SHA256=6D9745B54AB0B64EB43730A19E0ABD5A7C8944B396A0D3629363D014EC94C9CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.434{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.435{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C284D774B0951ABA93F53391F4D3F1,SHA256=3527B39F5C05B015A158FB6DA497EC577426E491385850F8FB35CE7F0D80ACC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:17.943{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAAA3917C2655D7FCABAD3BEF94838E,SHA256=89FE96E5CF5153F5866BD7BD963AC40153A1FF8945D00C266F8C98093F350252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.825{D419E45B-DE92-60B8-734E-00000000C401}55883640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.747{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7681493A6DE3930802F681D6E012912,SHA256=2FD997B89EE195F8DA3515008C336671BDCE8012D4F372E47ECAFDE07F25CD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFC7340B4ACF37AD0663803E986628D,SHA256=875C25DBD4453EA73097A7557EC65BC00B02FB1641E2DBC302E44A802822D537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368A163A7C0915122D07786025CA4289,SHA256=A31F5E6A796FE9C523B67A63101C439EC9DA389146900C9958BBC7A113FE2CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.623{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000649306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:18.958{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBEB42BE914FB371A0DBA3CD3FCEFE1,SHA256=5AE2EA0C2EBDA35357D6B71415E15D5FBE38C6F2679D97EA2F3036F5E803463C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.731{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A01E4D3D7595D6829F6D25D128E16F,SHA256=219360682D21D87D2770A7971585D3E32904692DE5A07E41D5797F18670355E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.731{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74A38D3C6B2EFCE4A07743525BDE3AE,SHA256=6FF8B3813B1ECA9F135EE4680A151F748BBFEF9C80137454A3165FC5F8010B46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.597{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49844-false10.0.1.12-8000- 10341000x8000000000000000649327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.106{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FA2BBFF1FE8CD12C585C30D807E0094,SHA256=A55DAF6A681C8DD53D4CB261389D3572110C9B0D1865B5D8B853580E20FE05E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:19.990{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B285A10E063DFA3C46131E226D9450D,SHA256=ED27412A2B7E8F77CCF023D6762B8660C77CA6C5A3D7BFFF67309795472A4179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.747{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C774C31E27A5ED9ECDC2010DC72901A0,SHA256=D619061A0D67F8DA709E6A69A9A5E7F5ADEFE8EA2A51402FC1FA8395A42FD89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.559{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57043731D24DC874CFC426A5AFD8563,SHA256=03B6BE7C344A051F840147A9F2807842B36400AE5A33AED2312E7E3B96D9D0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.356{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC7B2971D4BF5E3AC63DB111E50EF756,SHA256=02D21D5EC1D8B456D79542BE85127E799184CCB19A59BD5725257E45D01FB7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:20.271{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E19C1E97FD6BA4BF335F005863A646,SHA256=6A019E72A22FD9BE283977E19CC94B8429D27BA7BF8AEA332DBD3E60324BBF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:20.271{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B56F2F3453A84AF9001F227FC003FD79,SHA256=91C9AA21AC11AC02EB800FB47D816923B68DF928E35E963C6D17DBDDA1ED0125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:21.762{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5620BC6E4DD143916F3ADD52162D6DD8,SHA256=20BEFEDA9B87071FB04BB1284717218FF63A2CBF65E2D0B427C086C160CE3CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:21.762{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA84A1A520D4B86DF86B9C0348B6D349,SHA256=306488D8D47E3CBF97BDDE44603553F2D9DD9C5E780BA5076EE2BDA08D0952FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:21.137{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=933AB34EC71D6A2E418B220B56024C42,SHA256=9D67C8C4523D6EF27B32A10840EBDACB54C384D43064ECFB2BFFC57EAA5866A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:18.086{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49761-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:21.005{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FBE1EFD124DCFB535F39929047436A,SHA256=2743F7EB89FC60C1B4625713D2A433BF6B47DDAA661308916F870CB6BA97A34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:22.762{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6019733D37ABB8EDA8B3AA959A9088CA,SHA256=8A799C7E9784342B6E81FC704F73D068D0E1D0CC88157023448E89C67B8C72A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:22.606{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6947E9932451C866E1EC18AD8E0CBFF,SHA256=C8AC0732472E6B72040B73A71AB65B39E2BC0DEAA53684A3E57A6FEE499CA045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:22.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E8375CE47FF3BA322386651BEA390D,SHA256=6C99E38CC5F7637ADF098096FF7A076560B800D14C6760F66324E810C68F95EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:22.005{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F26A7E37E10CE1EE35F1403A2F4AB28,SHA256=8BDFB2A9D523B399C7802486A4E008AC7BBF4884775EEDA705A009CA0960492C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:23.809{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BD92ABB8CDFFCB58515100B0C67DE7,SHA256=066E428566064A3A480D7CA059E5D702ED3839C6E8684F58618AAF7F123A8AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:23.809{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FB445F318E4BDB7D6E7F766690AFD7,SHA256=4E9715EE06A85E74D0F5B565F4A4DE2005138C8995B7B4D8AE4F1089D93759F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:23.184{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB148552BAE343A938C82DAA6F8E10CE,SHA256=CEB87B31D7EF823FE04DC8415DD19FF7C84DB854ED95ECC5F17AB0D87B53C898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:23.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60EDAAE17C584F29D9EE1297C918626,SHA256=612482AA8364827F13B0EC0307543F815BB9A3C24998AB74A13479515F8434E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:24.950{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD81F07D2A9C94F72B0A7181EFC7A5B4,SHA256=54F8B5D3EFF4B6346C91C505060FE01AE607D734E3096FE74B92273F679331D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:24.794{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=818BA1CBE56A4D397BFAAB167E1E3A39,SHA256=1A4BDACC1B23229A1798DEA863A14474955D966E94D930358603BFBA6473E992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.769{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49845-false10.0.1.12-8000- 23542300x8000000000000000649343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:24.434{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FDCDEDDAABB4316417C7A515A56BEBC,SHA256=D21BA811D046FDEE4FCB5DE3B3257519EE1D6AB531775FE4A19569D58115CB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:24.833{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E19C1E97FD6BA4BF335F005863A646,SHA256=6A019E72A22FD9BE283977E19CC94B8429D27BA7BF8AEA332DBD3E60324BBF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:24.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01523A3211DC9F9A9532EAA2D3B0980,SHA256=E0B1FE39DA0E4ABD1F0DF78998094F88129F78508455105A4F518B56B858A397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:25.731{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF73889ED8231B9046CF3D1E62A2CE2E,SHA256=E69595554884E6A41C63C9E835CB30391F8E026147B10726950E98CE1A8698C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:25.372{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39168778A99A39BB1D55FB1CFB32CECE,SHA256=77812A8ABCDF4965FE767B660D77141B27110420F2CF98A62B1B81B3C8374F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:25.068{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4424DC059A56772D8C5F511F6A6EA92C,SHA256=95B5912EDF7AAB082C5C0E35C96FB414312AA65E9E1A824E25C2546FF7BDC7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.715{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AD190D3CA5B09FB7880C8E9A51FA25A,SHA256=A7D180AA1B600EF1AC00BED59516042D6FC7612B92FD0F44C40BB4B3CD22B66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.356{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10CE5DC2D8C611253CCA7A37FDC73775,SHA256=2DC9849F53A09EB887A2D164951D4345ACFC2C0BABC9447EBB154B75B7C764E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.184{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1778D19F044BB8F76ABD4645E88DB9,SHA256=80A04A88CD3C5CCEDF8BB676D5F1DF474FA3A41A6025C4E3711A6D7EA794AAB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:23.899{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:26.083{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=976469141C8BB40987B5D65E29CB2F9C,SHA256=968E25A1245113BB5FE9F75959DB34DEE2F31816FF47E1E70F724EF77FCD7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:26.083{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B589154FCB11B2C91C97C1DC5A3AEB5,SHA256=BBE9943CA1C0F86637BFE9846EA78718FDC87C2425712D042ECB8499ABBC470A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:27.099{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EEB84AE1B858345DA806985C6BD948,SHA256=0D953D432093EBB48C6CEDACBA2E6DDA7F0F20B5A407C9A0FA65230C62715517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:27.965{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F37EF75F8586F3B3677757A18879BCF,SHA256=B2384A39873E98D332839DECB1DC9725FEB3636441375878E7F0280E155660C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:27.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82BDA293B483A69B5887C1DF2D938A9B,SHA256=EAA534525399B222A98E13CD539F1372A930FB3A49069178293FE675838E0376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:27.231{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72C51770B065ED2A2EF79E911A42604,SHA256=FD0336F73B116AAFE8F4D600A922C86EAD3DC20ADD5424ED775F7F31218DC890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:28.981{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA34DACEDA738EE45B018A2F3607B10,SHA256=19B23468D0FC9ED6DED1BD26F00DFA802F7BF1EAEBF032F6950EFFB91E996904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:28.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A20DB9B9F1D517F762B749F9FB8F440,SHA256=B97055277CFE942907BA85AE8FD571E1E5FA1CD5E06DE40CF6046735FB0448E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:28.262{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3276923D9041F4A6EA1A0744387D94B,SHA256=0D3A4A212E35BB34EB4C25589460E56133EBE6EA9A299A8962CCCA948E163FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:28.755{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9640ab1.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:28.099{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F9FF4F3FA4D89093921434DAED28F7,SHA256=759E969D543CDF789E48EBBF0B6C8B1AD948EB9B592DCAFA90004E700239F347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:29.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90339B72A0C10DC62F10E3B099EC6642,SHA256=57353664EB257EBE93EB35F9AF236110C63E3032D97F41CF4C2E6494D0CCEF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:29.278{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2183E999F30C2C83ACCEE59CA9AFC05,SHA256=C131A09A0B1FB8D6D61CAE9AD1F77D64747C5B87AC310FBF3990C016E3136171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:29.099{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B21626645948170F587D42B3363592A,SHA256=D7D02DF3F262D283915EC37C459E93FF24E24547AA0D0D30E62C3CB37F20643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:30.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C0ABA980AD3154A9CA1153FF8929F80,SHA256=42D2B3847F90BD4E8A0E1EB5B374BC0DDD73DFA6DB1F4C1772BD1C0D86DD4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:30.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F36AF52899F9DF8FF2ADA69C3B5696CC,SHA256=451C7C9EE7E9420D0E721F34C5E57C2DFF463D5E85A4CA13ED4E8E509D26BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:30.162{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE74505FE92C8BD3124DAB7A1EC3E9D,SHA256=1AA851F61481E1199F128CF0BB94227DD2BD6A5CB5A9E9E5336792699D91817D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.707{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49846-false10.0.1.12-8000- 23542300x8000000000000000649361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:30.294{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA95187E3EF4A9BFA94F872BDD599AD,SHA256=88DF001889889016671E1FBBE2D670E10A1903299FEEF751D413A70E18B4E93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:30.012{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6719E604764CF693F75010B9918FD300,SHA256=C731D4D26ABFF610420FE3D860645EAB8C460B6F48F1A6508F2861E94388460D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:28.961{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:31.224{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139B3DEA232E4F92B49360CDCD988AD5,SHA256=68564F683746A3194CAF181AB0EDA326A12217DD73B1786F23B96B8195DBCB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:31.512{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E7F6540360653F85A9A4605E270C406E,SHA256=26D2E1578B2F437A1A76BD1AC0FC2E050BD44F3A6B8CBD6E36A823A85234B953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:31.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD802DC5551B062F6948E75309AEAF16,SHA256=20468D1E71DA9F4B22874C97FF93F04DE247E01CD4E77E30E83E39C4185B68D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:31.130{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7878D371A82B3BA4618A1A24DE6043FC,SHA256=016D68291BE3FDD657DA0834E6AC993D04789073CE16578F3C9F14BECA52D031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:31.130{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11A11127326AAF591CE2AEFB56973F48,SHA256=88D8F50A9CB8B3BE5F3D643E05E851D58F8514958DA875C3A8981F6FD456CDC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:30.997{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=058A7A622B440A2ED0F0B520B26BB877,SHA256=DC84C0E0DC6F8F8FBEFC2628E43A3AFAF3B8BC5FEB29BAC9724F41C456709A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:32.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F3258B59C863E79FBB765004D2202C,SHA256=9AD94E3A75800476471963063A0459A4B81D7B87942C36A3A68F027251FEE787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:32.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84BC23626AFEB5B611116B4CA33AFCD,SHA256=9522D26BA612F2011A4633C6E9B0BDC5AD45EA10AB3297223EC919F164AB8D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:32.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3F9CC20028D6B582621046784E18DA,SHA256=6C6B345E0728C8D355F2E98DC32A40E494A6945EA2F1B5CB161C4AB39D87E35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:33.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05D004CF0E7B1D4FDE0FA783E5FEDA7E,SHA256=3977363206EDF94EE95AAE50762178D7F807BD6B1E0036672022508E3B09D15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:33.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89E941F473F1B24002A3AB7702916C2,SHA256=4591105C6A1848E74035B5F9CED81A6011F363CAFE5CFA140999A56909F4BEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:33.259{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028D0D84D52F2328F8B2B4766E5E40C0,SHA256=03F16A01AF94A328A80364675CA4E179FA967F280532E9BC6E96D58E095D5DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:34.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F51A51A1C2386577FA33137480F6F43,SHA256=394BF8130361CBE6D407E14A9DB634F2CB044E769722FDB5615E9674BB8A8BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:34.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D188CA6FCFE180EA534B22419E563247,SHA256=C4C1CE7C61D5AB2E7C0D7E880472EB01EACDDA83606AAE1A66212A2D4CB3F84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:34.259{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8509F0698E77882F15DE25DCE46EAA4F,SHA256=9FCAEAB9D268AE0EBB60C3F1F3965BA9F3BDFE71BE8036FFC65AE9E7F5703C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:35.511{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B312A3F561F4DEDDF4D8A05477517C,SHA256=E30D3E2A5D341119C1012D2B9B221FD93795C66456D680E3A1E010C792434862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:35.274{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EC95384BB72B6659AA5CAFB2126B53,SHA256=064AD952C6F285C4299B201C43EBE0B2710711BFE22688E7726F9BBABC2AF4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:36.515{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213A4A2D8DBF7ACE2F1A7398E18EFFAA,SHA256=8C624C8501C808B4A5A987CDEC3D92A068C594AB7E4803187297DFBA12F736B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:36.306{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6ED6C10B685C4F1B4BC0769967D359C,SHA256=C0C81CB8EF116CFE420A25790B8E793B3BF214D5F70E9F99E0BC414CE04DEC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:36.124{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C41BD00DEDBD56360267AE7C4710DE47,SHA256=49C5871A037808C2F66EDE3A89A473F77F7A6C4B1F812782923DC771094329F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:37.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B114E56DAE36D795725A2F6979B02E5,SHA256=5D7F3FFAD8E2C8E5F0FB191EA2005F538A088A1991E4D50091F87EA3708ECE09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:34.871{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49764-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:37.320{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425CF55B068483716837D5B5B680E115,SHA256=03CD8E806F422BD079A792733800C1A4F944FBED80BBBCCA1F67DD2E2C48C351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:37.374{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3561BE378C54E741B3F04982497D1BF9,SHA256=DA99EF8B4FC3FAB515BFFC5E03B4CB33391C02C9E7B4A8B55A504A58F9CAE3D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:32.721{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49847-false10.0.1.12-8000- 23542300x8000000000000000595332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:37.054{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C1345B0042D189E79535F607B43BCD5,SHA256=ED12F3F85654635DBFA9DC87E337287118E363F10C2087D02F65EABBDA000122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:37.054{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7878D371A82B3BA4618A1A24DE6043FC,SHA256=016D68291BE3FDD657DA0834E6AC993D04789073CE16578F3C9F14BECA52D031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:38.562{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F199E3796F33B80EBFD01390D8157D65,SHA256=A9BF3E4A2A147EAB5B84E3F13E0EB224B475888638B6B97F34642C6CBDE90791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:38.336{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC41D64BCDAD5A45DAAE8AE72BA453F,SHA256=5EB92DAD8B374B108CCE45DACB62625139A3CA078461A1E6B5F516ED382FB98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:38.421{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43ACBEE8C033A51CBF343799AEDE8B1E,SHA256=34B805681BBB94C3F9596D88F05B552438C9AA53EDFC9AB2FDF6C6578554851F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:39.765{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C2BF328BFDE0B823C89F2092C31FABD,SHA256=13EF93141CD25566C0CAEA6931AFEA6509BCE48539FB32B5E5D239013DEFF383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:39.577{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3ED6A508DCD75C865EE3424088D40AE,SHA256=CDDC6DBD4DCBFA3C95F94CA4627A8B4C6691D72A3A9A706511DB458451927BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:39.351{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052E9EDFE6BA747C757403E07DCD71D6,SHA256=7065E89219093D0E4EED5A60126BEDF86544D2BCB31770596315CAF3D86C93DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:40.351{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740C3B4487B5C5687E6FC6512BAE1023,SHA256=7725A8000A9A3AC7D7CFC9B4738D61872A4795E02962676034B0CEE5524CA96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:40.609{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD35BDBD6076370295ABBF224CF9E1A,SHA256=3F5B07D865E2C4E78E6C741943868CAE99B83121BA74D6CD46E4BB6E8C90967E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:41.624{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AF0D1C119D4293A72666B0739A8B71,SHA256=70D9C560ED739E26F00AD7BFFBBD7661FC8161730DD71DA7E46817F94D19694C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:41.398{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4451154D1E9CC883F0D55D2E45DE447,SHA256=211EAE375FEF3396F2DA6EE800B643BBDA3E34739E70B49F87934B43BC72BA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:41.046{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64CE01293EAFF6574A096189345FB43A,SHA256=37E99F18B6BD990DBFCE8F0A9B29E2D5FBC17C7557BDAA6E5400AD04531587DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:42.718{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8CA467C666D340B37D096EC43C048E,SHA256=37CF3F569086553CDE577A7DF922CB71123AC8E866ED1C187B73C9D861C7BB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:42.429{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21266E9295C0B94E68D76FC78BF8AA,SHA256=7CE3A73CA1172D056A9A2D8B1B84B5122E995C933FBC3F3C180DB536609B1042,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:37.756{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49848-false10.0.1.12-8000- 23542300x8000000000000000649385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:42.093{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD66CDBA0529D4EB03BAF3F601F724A7,SHA256=9A256320BD5FC0DB77C188E6959AB5C5147F3151CAE376B7010EAB258B2F5392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:42.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FF15EDDCD1FCA9A47307D0EA6D72285,SHA256=47FE2EDB5D7A156626E7A803EFEA114A7A9CC78A424BA092344E620E9EABE053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:42.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C1345B0042D189E79535F607B43BCD5,SHA256=ED12F3F85654635DBFA9DC87E337287118E363F10C2087D02F65EABBDA000122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:43.734{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F933158AB1096BCE46E25122C35799,SHA256=EBCDA036F2E0C2CBDA3CA2D9A49909789EC20E231AD520C7644194BB60943095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:43.445{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB00851152D3F511C8739ECB2FBE6B7,SHA256=46E76CBAF4EA5AF50416DB94FEA08E87612FC6CCAC2BB5E3F5211A43E9211532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:43.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16126837A0FA4694CAC04DEF38BD1D24,SHA256=08605A653AEA5823E7E8FA9C7AE78C769F31D7C7B9166EBAEE4CBADE7648F858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:39.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000649391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:44.812{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CD9BF775442FA2D2FFCB0EC8A21DA0,SHA256=67B0900CE2127EA118AA12B82481CC542A3F89623C1E8269E6529B014B3C327B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:44.492{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0295259E03F2C38E636BCEBA53E69D36,SHA256=A3A2BA31FDC40529CA5092EE1C811BF3566CA6707570DA09D92F4F23CC336C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:44.702{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2916CBBBD899367B6E8D42591DC83FEA,SHA256=2D7228ECFB5E4E9B5DB37178F6EFDA7E25B5A231D6577DDBF42FDB0833E2AAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:45.937{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A325AB4146B717D69C0D7175D0B4035D,SHA256=A85C51EC729ED8DD24A363A12482A813FB6EE912BFE7AD2AB6DFC60FC4F0E465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:45.827{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EB8BE238F1619B101E0F6C3E9BB665,SHA256=1AA0B69BEF9F47A79FCF52EBAFF4BCA6330D44CF1718BBE530A62514131CA21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:45.523{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D728513ECCE1DA5D08CD806EFD6D7B06,SHA256=DB50992529482FABA1E6A2DB2706AEFEA3ED9C34E4E60452536FFB35D3B1DCD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:46.843{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00159237E4BAA612D27753BCFDA94EA9,SHA256=D548C8000F7E2F6DB4A2F1313016926B41ACB7282BBCF5105D6745C2D3475BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:46.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03215BA1466DFB526599F7FE35EF2586,SHA256=F27C5745C3CD8C32C22C960ECFCF08EA03A95C45CFB90319B8E48A93DF652D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:47.859{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E23F812562B87C0170D22EF64528621,SHA256=9747DFE62944F3E2A8865707A09371EFE7CF032A54C7EAD637E352D2E4BE6941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:47.555{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3206615C5A615AD0A439CC0D4CC634CD,SHA256=4B71661323898F762E1A9832CEC0E359DCD7B779E3DBC1E0DBF4009F6251FFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:47.109{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BC7165E5A5AE7CCF0E35C283359508F,SHA256=8F3AD9C4BFB732934A399E4ADD3AC6BE64ECED258229ADB0F94EF264B191E1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:47.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50C08D3A28E6AC8DE6EA54ED142CD60,SHA256=60AF3823F034D526D6130DC829F21DF3C2284AC92AEA9CF02865A47950162DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:47.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FF15EDDCD1FCA9A47307D0EA6D72285,SHA256=47FE2EDB5D7A156626E7A803EFEA114A7A9CC78A424BA092344E620E9EABE053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:48.874{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CF3D7F59AB4662934FC54BB64C6266,SHA256=3F1E7D1AB6874C5DEEB56A644D784522A712E86A57FDC1A83413E1F5AC55D165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:48.633{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056067B97AADA87C285AAC39E560E5A9,SHA256=B9A68DD557F0933B275103CC669C1810407F3A7E9DEB2ACB8A782F33E9C8A2F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:43.615{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49849-false10.0.1.12-8000- 23542300x8000000000000000649397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:48.202{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33AD9E4834FE01A0A6F683315A44F1FD,SHA256=06166F0F6042C3662CA7194BAED592425ADFB301A47EBD9D6602E210827D9D27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:44.932{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000649401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:49.905{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE84E0C4BECE7750A5646279495B61C,SHA256=60206AE6F2A34703CD96AB96C3D4D44FA5C8128FB84BC947A45D84112D378D43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.727{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.633{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA05020784ACE57D8E436CFB491FA723,SHA256=0630A9E4F1AF4BD311A22D27081703DDB69EA157C296E78C876943B69BF5FAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:49.359{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20544174BBCD9991DC45C8A41F136B6,SHA256=FE41B138A9BA5627D7DACDDF762718DF9704F81A1D51FA5F068F3FE071979FB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-C506-00000000C501}4092C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-2000-00000000C501}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0F00-00000000C501}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0C00-00000000C501}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:50.937{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5A35E426E80A18FB1DD4981FABF632,SHA256=C186DA8337349BC091E13AF19349BE921A2A55363D2676CDA868393E601213C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.742{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50C08D3A28E6AC8DE6EA54ED142CD60,SHA256=60AF3823F034D526D6130DC829F21DF3C2284AC92AEA9CF02865A47950162DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.648{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA8DCF931F15EA4E8ED05FD90DBAB71,SHA256=BFB1D3E74F7435DFB245AE8B00DB71EB8A699EFA4E4D6F689C76FAB2C2CC988D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:50.593{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC63B54721DB16D479DB769625CC10D,SHA256=121AB6374ACB64CAEABE101F58B98B1ACDE96F6D31D7AF30BCDE951EE61CA1C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.539{97C2ED32-DEB2-60B8-4958-00000000C501}25163540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.399{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:51.984{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADFA576B980752F988EFC595420DE6D,SHA256=92D7B1145B6386882FCB200D907C024EAA80BA6F924412EEEF98B315DDD18FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.648{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762EE0A261A4DFA287E279995F412D81,SHA256=C63EC9CEC270CB1891449A6DD9F0FE9512D689768849DF3C4049D42036CBC500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.133{97C2ED32-DEB3-60B8-4A58-00000000C501}59082480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.010{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000595412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.868{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC210CD57191512012FCE6C0EBBEB6C5,SHA256=4889A3E901E439136BA2ACBD39B808BD7C344614A093A0325BB20E4DF7E7DD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:52.327{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F807BE7CEE0897663A73A7344F17932,SHA256=F99152C152C40ED640A5DE186F7ACE38988D0E18FB5879C90BEF01FA53B945DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.243{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C358D5B33878BF4598CDF44B8789311E,SHA256=B7532A81AA98C8FA96538A987BF4952C4EB4A8D38C6AE11CC3964814DEF5D905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39521AF27E6ABD2ACD93E9C0A7C2C980,SHA256=186567B2EB7BDB7B734D842B6E8A101FA1714371085C65D9DFD62183852231BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:48.615{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49850-false10.0.1.12-8000- 23542300x8000000000000000649407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:53.390{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B88FBBAD57056A41892DCAFF70D689,SHA256=5A736010EC48439887ADDAF2ACF679D2ABC7D6026F6F0709C452E68C5FB91D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:52.999{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32BFC3D5FFFC66056791BDD30CBBD68,SHA256=5859E39A85E86C3EE0503A585D18AD11D75F303334DEAEFF5E38C585D562A66B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.633{97C2ED32-DEB5-60B8-4E58-00000000C501}33482848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.932{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49768-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.493{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.258{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9800E755C1B9C93A543D0189B0D0316,SHA256=ECD92A785A531FB0AD28934A5593415AF25E6BD9FA42B498019ADB3F135B1EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.992{97C2ED32-DEB4-60B8-4D58-00000000C501}13843320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:54.680{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC259515DABE77386B7F81BD7796939,SHA256=082EF6FBF1E7CBD619D3E713AD2023DD3B6FD52801A4CA853D3C8877A8B8E473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:54.530{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA0919BE48B28FFAD95E2CF5CE12AF6,SHA256=9C43A197D7822164F4D6C186E4318C7A0EF6C61BD06FE906162AE40187543D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:54.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E74F5803031A8C39EFC68CBD7C571EF,SHA256=15956B218966B9C57D71B280BABE0F6F5ADC582FA24216BA5BAF8342EBA60FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:54.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6AB3AB5248BD04E3CEF6DCFB5DFDB3,SHA256=B0850D22AC060FB5D2186D84DD372CD326097A5003E88E638DA7FD8479EA5351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:55.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51643179F5F9D24E9CC22AB7F95A928C,SHA256=9C2958F539F52FCB212A77EAD350BD640E6B18D5BDEF7FF4EB0B19423ADB1097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.796{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E869589D762C98B14E72901DCD569DCA,SHA256=C74258C1E650D82D53BEB445453FC6E6661FD8F82EA0BD561B818DF10BB71292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93BCD3DFEF95D319BB055FF97341B5E,SHA256=7FFF2FE2D833CAAB2F5155752700CF44C31B38079EA4D11A823C8978E6B70AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:56.700{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2338326C13404B89D45DE3375E4140C7,SHA256=76CC9D33D728948FEBC28C342EDC668A4E6A5AB4C638D0C49037A9FB63804CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:56.093{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C80148B4560FDA74CE654248B06F73,SHA256=9DB3298C5C10272D7D0C8863EBDD2D06B86E21D2D43530A822C60279316F3D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.700{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC911E6FD09D8497D8ACE5BEADCE893,SHA256=ECEAA1F0B65E85F0DE37067BAB7A57F3D4191C8F6FB7DAC6FE5DA4421B1A4026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:57.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3FB7D391D6CD8933DBFE8C4EBA52F35,SHA256=4FCA2EC400E4D9E05A827AC9FFBD8629860D50EB251673BCAAE11169473B640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:57.160{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD696F7C98B93212F00F5C395EC1CCC9,SHA256=9E34B6C396172FD8ED212507233B6ACBD2D3E6C1E0402AE2CDB7BA331F54CDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.262{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:58.747{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6314CB71E3B2B311A4E906C19924200E,SHA256=13AC0D930F560FD9FCA4597685D825BB82C5CF8858C8FF2760F70F6ECF4C9D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.894{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A2CB29451556734981F83CD12CEA688,SHA256=031703EE7BC4C29D63D9F8EFAC7CB5E3D0F0B860BDA3CDB1DCDC0552607001CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=667A6344AB9DAE05DF25F30B8C3234DE,SHA256=8F082AB0D25E4ABC5F24F892AFF9AC6B6A14487556D169836D609F5BE8966B89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.410{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.410{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=6D7D70AE31C279FE84C30CB809F05229,SHA256=17F7DBFBDF7ADD68F057134463D791A5056967AEA6C7209C628AE257244D799E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_computers.jsonMD5=33567B858E18E75BFBBE3295D6CE4CBE,SHA256=C867058A174CF386BDF326276649D85975D023EFBC3A450211F184385D2F6A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_users.jsonMD5=C955FAAB4D2234C39EC98F29D9633725,SHA256=1FBA8B055788E4C0EBFB5893EE3E703FD1FF34DC828785DD4F68E1EF639FDB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_gpos.jsonMD5=15200722E11C8FB935E1EB3A62BD407C,SHA256=E06941E35D85F9C7A3CF19EBC4D157BAA9AAB7FEBF4592E678EC88E2B4803062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_groups.jsonMD5=C1743B670BCE65953F12359D239562A9,SHA256=1FBCB204AF66F3F8913CECD7C6261F0ABD85D108E638ECFF9ED143CA371DD6D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.379{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_BloodHound.zip2021-06-03 13:52:58.379 11241100x8000000000000000649439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.332{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_computers.json2021-06-03 13:52:58.332 10341000x8000000000000000649438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.332{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.332{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.332{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_domains.json2021-06-03 13:52:58.332 10341000x8000000000000000649435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.332{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_users.json2021-06-03 13:52:58.316 10341000x8000000000000000649432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6321072C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x8000000000000000649428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_ous.json2021-06-03 13:52:58.316 11241100x8000000000000000649427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_gpos.json2021-06-03 13:52:58.316 11241100x8000000000000000649426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.301{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_groups.json2021-06-03 13:52:58.301 23542300x8000000000000000649425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8B63C3F336D59D2314E5D9A4F0E4D7,SHA256=77F3190394198FFEA4654A985662711C64FBA05F9A5721E44BB19B93FEA1E334,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:56.078{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49769-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:58.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9CD28112AA7D820191CF9B59AA3912A,SHA256=4EC317B27D72B69E06CDD0022957A4E43AB4C77280250A063491B0F614B58281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:53.725{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49851-false10.0.1.12-8000- 23542300x8000000000000000595442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:59.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E15FBBB3069E7B6FC1876D7D42EB2C,SHA256=1D03E3EBD90106D8DBFD1389AC0472B2EE09482EE57673DF05AC0F8DC015DED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F16536F864EE675F46412CF47259A384,SHA256=AA1C3B71E49D584501E6B767C8FE3F52659B5A3A9A64A76FA2ADC4953EFFC2EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49860-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49861-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49860-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49861-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49859-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49859-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49858-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49857-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49858-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49857-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49855-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49855-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49856-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49856-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49853-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.806{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49854-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.806{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49853-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.806{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49854-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.614{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49852-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.614{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49852-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649F0AE45AC06E9BAE00E6C2A53AA26F,SHA256=2DF3BCF07E11AAEC70719DEC8FC5FF0EF8F23FBBDAAE945CE9F46BD4FF3EFE04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.150{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49867-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.149{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49866-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.148{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49865-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.143{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49864-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.132{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49863-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:56.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49770-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:59.294{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A665FBE920AD5BC04C9E847312586C40,SHA256=4F7E32A09A8035433720EB779961AFAE234D0244CB9207B41A03BB5AD9C36C24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.207{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.207{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.207{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:00.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835381D77E959DCF3DFC4E6C5F73DEE9,SHA256=096621010138E6CF30E58DB3CD6B92CC34A662B5D3599AC5AA18C82601B401DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0DCA50E25B385580DE690E557CAA027,SHA256=7102EA97E1B4901292F6EFE24B5217D65C632C9DCA868B378BADA19F897080EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9300E564CE372470BECA02EE1B723089,SHA256=B66438B238FBDA6A334E0944F7A96B97BE2BD47D2F2F17AA6C8D86D2966BC561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.254{D419E45B-752F-60B6-0D00-00000000C401}9044156C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-0F00-00000000C401}360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.222{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.865{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49869-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.865{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49869-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.863{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49868-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.863{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49868-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.849{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49867-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.847{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49866-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.846{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49865-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.841{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49864-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.830{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49863-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.828{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49862-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.828{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49862-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000595445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:01.887{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A8203582804810D3D4C3DF3F117A3562,SHA256=EF67FF34758DD3DF3D9BD6B875AB096C9F8097D23446578B420075FB6D2CC715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:01.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD13ED1B95D7F7EC25F40F786B42874F,SHA256=11C9BB23DF67A37EFC3C6D20024A47A12A10895F1B68A1DA48C43732B63C5CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:01.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6FF87622BB8DFC9D7578C97FB04C78,SHA256=5C8D52918C13A851FF4B248F9C0319118DDFC63F598335657FA1B79E9D30CB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:02.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBADCC79B38E4B45D4E5D81937107A6A,SHA256=502552ED26B2F6A1ED6C9AD44A9CEE874400368ECA6ABE045E42F56EFEF85DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:02.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA1ACAFBE9280D0D6BFFB37DFFFE95D,SHA256=4FECBE6667B4E0C1738B9892C4791AB7C2F08D502D914A940833AE47FB4A94D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:02.793{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE387E46DFCCFB193822B9BC6ABB5B1,SHA256=9C1E34568BB839DDE959BDBF4C414FB2BD49E40B21A4947EF18885B88ED4DC9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:57.745{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49870-false10.0.1.12-8089- 23542300x8000000000000000649495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:02.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=370B709C809E854B0BB2BCE140C0C391,SHA256=DFD6E4663D956A267348FF69E14FA0AC3F4CC7E2C26B71A710128FA002F52859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:03.809{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD291149B860E56D2F57892580B241F,SHA256=050860DB91ABA7E2623E88B02D8C33054C027D0EAC77903590AC7C733644EEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:03.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01F9D2540433F3692EF58651B7CA6BD,SHA256=031D3E225976257EC02F47C2E5B5FC934B033020C345E083761EF0ACE436D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:03.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F324E0D1AFA94AD07234A8E377F1702,SHA256=57F1270FE1F0C45316CBAA739C6392D945311EC454C4B1FE861F674F98BD1DF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:01.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49771-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:04.825{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC725D81F4433A7FE414441F5622B83F,SHA256=6879C79C315CCA5D9CB35C170242CD88DD3DC92BC30D3A4BFBAF435C3D233282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:04.504{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79619D1819F1045442FAA075574771C9,SHA256=524488F2B19D9157CBB1253F46080C0B264FB0348F9DC1779901DA9D4B2EE4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:04.059{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37136D7D78E5FA47FD285C65DE3546E6,SHA256=41D6A052900FB8B604B8D583D9DADF7D4AD9733081642BF45F080580A86C2C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:05.840{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463E666E3880A8E4AD26DDD79AE110C3,SHA256=45154A1FC7EE6E07C93AED85F258A74D43646665EDEB2C0C00316707F762CD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:05.519{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17657C5D4304B2DB38081656CCC9849,SHA256=1193055E3B4A70204E8C5B949F29E251F7729FD844D444F5FEFCB9C913DA70E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.729{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49871-false10.0.1.12-8000- 23542300x8000000000000000649502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:05.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83EA699EB943C6545A814ABB8F9AFFE3,SHA256=511B561F0008AC7DF13E24DAF99746FC6E24B42CBA73AC771494F5F1A046E18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:06.887{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25F78C77603E4B1B3F9016C7CB68A10,SHA256=BE8702CAB1DE179EE8E87CEE49FD795422508CD5A250728255C06F968739659B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:06.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7914B3B5981C5598E029FA32678630F8,SHA256=0BDB1968FE724DCEFBB156903EB6558C25E37747A44587A689A4801C879FCEDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:01.558{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49872-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000649506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:01.558{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49872-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000649505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:06.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CFFD0B7C55FF61BE8D0DB51F4CA80DE,SHA256=4C6779014060D397825C7A0236B44DDDB0806380E79B3A837A1AE4B16145CE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:07.903{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32786C7BFA83AD19859D1CB371F2077B,SHA256=D27921B19FB2738C7D457F2B81A83AE2E696AED8C8C133838FD0172A2FD362E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:07.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B30D446707B546A21C1912CAA28415,SHA256=9DCB74FAB69D4B9BC9915F95BF8EF967C128ADD891E687F4964984A2043CB4ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:07.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E535787237ADA1880407B5DC373CEED9,SHA256=4132C6ABF81056ADDD9EC6405FDA7C4198D935B15AAD8B58444A6AA11E10C050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:08.894{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8FCB7354A29776262720A77566A96C0,SHA256=27D716343CF71ECE8B5BF1A60759DEA9EF3D8668DD500ACCDD2488AA33F846AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:08.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1249E4A15AE5282F171D6D96A7487CE9,SHA256=F86AD310E856602B4633095A3D5C7689CE7FA15440153CE17EAA5EDD010EAA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:08.918{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65D6F9DF20FEB8AD077C3F5EBB587D1,SHA256=4FCFBAB9B806FA7398F4F09ED9E40EF48D643088E6B96711787E0233D45F9232,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:06.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49772-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:09.919{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC242D640FC2F552E66DB9DA828FCE6,SHA256=BC7AD5E13C4ED37161CEA04DE732B183B7D7ECDE7C76C13543106BE504156D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:09.769{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51281A430DF51EADD88A4336ACF1DEF9,SHA256=D880553AD3489C88A676D3325364CE26DDFCC21C26734C9D67B190545C6D95CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:09.090{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C350D1A1CA2F6CABA82418669176318F,SHA256=890EEFA61D63A65EC20E585904CAE186AA0A819A7388B6650BBE18D7376B339E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:09.090{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33D136C2CF7A05FA04ED2A056BF4CB76,SHA256=347F40DD6B5627629A0339C5100A4269497D438B83CAD28A2B48873FB2DF8765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:10.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F5C69DBD6EFE4045431A22194CB403,SHA256=0EB4E2155763B398E8F4703FD42DED38436B66FD89A4292190B3B84283BB3E36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:05.729{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49873-false10.0.1.12-8000- 23542300x8000000000000000649514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:10.051{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA86DEF5436DE2A28306FB6ED1152A7,SHA256=6FDEA9B3B3C6ADA2FA8F21D59C95F3F3D52BD026C0928C40158AE08D5E32CC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:11.832{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73977ECDD75331E6F404087026E1A604,SHA256=240C0BA865B5A8DBB927C19F8AB8B293BF3919BE9B62FF2970D3AAF1453C2206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:11.153{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459FC8C6CECDB5A9F058B17C1F7EB553,SHA256=CD2ADE3B56DD41BD03C1DCAFAA6751472F15711447D7E0B09ED64EA22EDA1D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:11.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=717DCF842E031818B96F65F562980DB9,SHA256=1327E974B2ABEB16365296A123DD14266237D2BD47FBA70BE7649EFF6B35614C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:12.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC902F1A5FA7830FDA05597BACD1F47,SHA256=6197C3A99E886AADE9F0D64B2A1C0A15A4BE95BD46A12402AA3DA582C2A8B47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:12.387{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465BC2BD720A1C5BFFD8AFBFF3F0A037,SHA256=CAE735ADB95514ED36126A3E4B474FD71626A9DA443247EE5D797A0F9BEF7A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:12.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6B5712C6D18088C3017F3B767ABA2FE,SHA256=21C56A587CA208C3C665C4DFB3B3166E8B650CFFF2BED5A07F284CB4A32F1460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:13.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86F0FC3B1B9437B8D3DA24CA08F1A04,SHA256=FBBC139D19A931B0120F9EEDD1F34E7CF30E82FC426EF87C7719CFE47A30E022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:13.419{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88787D6F39A4A04BB8CA5E7AC739AB4,SHA256=6C5048BA11AA43B367EA3C5E1C30A7F4275F9124CCC364131045C6F5DB99282A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:13.738{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=884A8D13DC93B43983F1C3242123BF97,SHA256=222CA64ACC090A9C48E5D558896F682A7265932E59C76112CD1CE5AB6958C064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:14.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC7BD54BEC56B84901E7B944235F1B6,SHA256=9EFA8D01DA6312D92DA1FEF35AF8B9E5894848C267C6A08F58340D2BA66506F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:14.419{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5ED9F2AC4A072B40796ABD04434EE4,SHA256=A7826FE8BB0CC8849AFA0725CC433A6C639A274B65BD2CBB33F8C8BFD80FCF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:14.122{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A179F79511C65E342A5068FF0B4753B8,SHA256=CB796B2DE24A00B82F9D07F0EC01AAB071C88A881FA96EA35CAD05FC419CAB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:14.122{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C350D1A1CA2F6CABA82418669176318F,SHA256=890EEFA61D63A65EC20E585904CAE186AA0A819A7388B6650BBE18D7376B339E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.926{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD1E5FE70877DC8BCF5CBCF6A6971EF,SHA256=823F11D41A421B4B333189796D516F3058D8E4A55FAF3846A0ADCEABFBCA77C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:15.450{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F3E147D2733A4085E3BD6CA5FB0F48,SHA256=AB8570F732CAFC25E940B6F6773F3042FB39CB906F723C9E354E08D61408A88A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.864{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000649533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:11.760{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49874-false10.0.1.12-8000- 10341000x8000000000000000649532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.178{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.035{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEF716DC520B548412E71613F5706F4,SHA256=6CE165CC5D9EE7059481B5AE1EFE0072024D86D4650F20572173B93985BAB34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5004A0760577AC0A03CD504D45CA0B38,SHA256=EFB76B1A02A84685B8E616281F64B70FAA4AB79A72475652BD6E6875AEE5F19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:16.460{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03D79C8A7B90853A29F0ABE26D961E6,SHA256=FA864AEDB285E546B59BA7330FEB1D0F4F909351010C90A05FDD13BEC5B06BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.701{D419E45B-DECC-60B8-784E-00000000C401}48161368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.530{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000649554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000649553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x096c9b32) 13241300x8000000000000000649552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x6b5302a9) 13241300x8000000000000000649551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0xcd176aa9) 13241300x8000000000000000649550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75888-0x2edbd2a9) 13241300x8000000000000000649549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000649548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x096c9b32) 13241300x8000000000000000649547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x6b5302a9) 13241300x8000000000000000649546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0xcd176aa9) 13241300x8000000000000000649545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75888-0x2edbd2a9) 23542300x8000000000000000649544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5F4991834C950471E7E8439187DC57,SHA256=AC28A5F861802BB88753B3D71B234955D3708CF779C4311499DB973360120B83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.035{D419E45B-DECB-60B8-774E-00000000C401}7603716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:11.937{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49773-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000649583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24346A271F8A8B00939B75AFE2BE7B8,SHA256=B0E65361CCCA48A63609E1D9DF775F6A37131DA8801D6465D5CCD29C68957797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:17.476{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEC9BC0ED8182C9746F2BC7B7B1F01D,SHA256=6674F0684814530A78142825809A45EE21EA81AB137D069B157FD73E2E7D99B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.889{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.874{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA680AF166485C87F637F35BC4F3E7E9,SHA256=0EAD38FCE362D4E14E8E9FD9B3A5BAF1DC2A505D9600F72786B8F090DA47E447,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.373{D419E45B-DECD-60B8-794E-00000000C401}60405424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.202{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.491{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743AE0A887B69D175247D0E6F947FBD1,SHA256=6B18B2ECBB7AF47C0E56EABF57BDD803D4887454B00C29749F38F1B5BA76BC79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.529{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.529{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.533{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AB3FACAA4BA925155FF775B9E279977,SHA256=8E6F408D79FFB041640EB909F0C454594F8C1E9D5D2AC4DA949B80F45D1647A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.045{D419E45B-DECD-60B8-7A4E-00000000C401}55644480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:19.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB5722724B00F05CBF8CF174482BF3B,SHA256=DA2476C08931DBB777D2414DC41394E6C615D249E5AFDB52EE81AA2164DC8E22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.951{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_computers.json2021-06-03 13:53:19.951 23542300x8000000000000000649653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33F6CB1CB3E54F1C7FF845EFC9A860EF,SHA256=B9BAF28CBADDF0AF5C56E6379BE512452449E73CB5F9292DB1D1A25ED029757D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.920{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x8000000000000000649646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.920{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_domains.json2021-06-03 13:53:19.920 10341000x8000000000000000649645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.920{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.920{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000649643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5520EAB2D4D4F2B474018A3980AD603,SHA256=CEAE80A8397DC63F389FBE351CD852230D83F998B7C581E7A6EA7707B056FA78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.889{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_ous.json2021-06-03 13:53:19.889 11241100x8000000000000000649641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.873{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_users.json2021-06-03 13:53:19.873 11241100x8000000000000000649640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.873{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_gpos.json2021-06-03 13:53:19.873 23542300x8000000000000000649639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64A01646A3FD44E84ABF3DE2D63350AE,SHA256=009197F949E1862D8A012AA3C7B8E99DD20A1FAE7D2260EEE5294040B8151674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7773B2BE2EC2E2CDB867CD5596A75E91,SHA256=5111354D767E60EA382030502DA64F72024EF2B8F5FF8B75313BC69BF779EFB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.858{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_groups.json2021-06-03 13:53:19.842 10341000x8000000000000000649636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.420{D419E45B-DECF-60B8-7E4E-00000000C401}6360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.358{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.358{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.311{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.311{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:53:19.279{D419E45B-DECF-60B8-7E4E-00000000C401}6360\PSHost.132672019991954406.6360.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.264{D419E45B-DECF-60B8-7E4E-00000000C401}6360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_25mihogc.twn.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.264{D419E45B-DECF-60B8-7E4E-00000000C401}6360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hh5czhq4.yoi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.248{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hh5czhq4.yoi.ps12021-06-03 13:53:19.248 10341000x8000000000000000649619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.233{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-DECF-60B8-7D4E-00000000C401}53481652C:\Windows\system32\cmd.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.195{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.178{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000649602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.170{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.156{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.108{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B978654056C2B9CC863F015EE6DCCC,SHA256=AC7D038D19DEAA7C5BB428221115E4D7350E9E674DCA3A9006FDB77FF0D0D552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.708{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49886-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:17.853{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49774-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:20.538{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D25F5FB46E9DDA8A2E784090730FBE5,SHA256=CD29B6C9AA4B78A047E9D98472C9C623A3C2DEC7A8A2EC11D360BF17111BD2C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.322{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49884-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.322{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49884-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.309{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49883-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.309{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49883-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.308{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49882-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.307{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49882-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.307{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49881-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.307{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49881-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.305{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49880-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.305{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49880-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.304{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49879-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.304{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49879-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49876-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49878-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49877-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49876-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49878-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49877-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.065{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49875-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.065{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49875-false10.0.1.14win-dc-233.attackrange.local389ldap 10341000x8000000000000000649674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-A157-60B6-E60A-00000000C401}3196C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-A157-60B6-E60A-00000000C401}3196C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1200-00000000C401}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-78A3-60B6-B402-00000000C401}4592C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-0C00-00000000C401}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.217{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1F4C682495DD0B992B54D97CA219D8,SHA256=5428673C915D71A2A2FC3807BC3F6B0D3AE633CBD31B5293AED5E28EE3C59FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.170{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C9C62FD7F8E6B5EB9012B3ADDCA1075,SHA256=27D7D6FB3BF3154CDD9F67EC085DCBB60EDBA86B1E91427099FC5C7D9E67A4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.139{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B338EC2B191B3B0B28B1030193813E99,SHA256=37510E981B359B3BB44901160C94CAE6E61806D8D4E7E6312CC546E0A59CDC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:20.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F686622CB35EB4693ACD5FB0998B1BDC,SHA256=3ACA030B34B93AF3CB36F34DA881930FDC2445C58FD3074965A631867E3A67B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:20.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A179F79511C65E342A5068FF0B4753B8,SHA256=CB796B2DE24A00B82F9D07F0EC01AAB071C88A881FA96EA35CAD05FC419CAB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.108{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB01CAE9E745F3BBE05B118A00E852C,SHA256=A8239733D3BD991E6EC94F33A3651D990DCF4E9FA5E7D90D7809AD22071E7D16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:20.061{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.061{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=2FB780692208D5190ACAD6F89B23A22E,SHA256=147E57D1F52087A7B0C5A987B78E5975CEC3F4BA43C13A8A97A4C9E8CE545083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_computers.jsonMD5=33567B858E18E75BFBBE3295D6CE4CBE,SHA256=C867058A174CF386BDF326276649D85975D023EFBC3A450211F184385D2F6A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_users.jsonMD5=BFF8DFD6363F258D55DD0F64AB4A52A6,SHA256=1850C27B919183A08336154561DEEB2095D8C3D0D4C7C03A70AF82659A37E4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7DA1B2C0B994D2BAB192A900C1BC8E9,SHA256=1D0DD54F02D811722507D323ECBD30C24D75F32E70BC77FE062999ECFFC0EF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_groups.jsonMD5=C52680A605F7AA416CFBEB0F63934D9E,SHA256=2AB34C80D63C54E9488410C31A43FE5898D10045566F562359E2E588B8EBD73A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:20.029{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_BloodHound.zip2021-06-03 13:53:20.029 23542300x8000000000000000595503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:21.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680443575661EB2445ED4BF88EBA1D2B,SHA256=525438528C5C01A99ED37939C4C70AD624E7682945EBF840BABBBA18F95EF11C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.479{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49892-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.479{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49892-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.471{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49891-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.471{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49891-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.449{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49890-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.448{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49889-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.447{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49888-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.441{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49887-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.406{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49886-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.404{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49885-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.404{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49885-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000649696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:21.373{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B42F406517939613C7BBFA00C24CFB,SHA256=E2F730392F1D7C6A188390FDB4194DC1DAFFD66C38BAAE7B048D66F882529275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:21.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A55998E953E9279EB21E0131D203BE,SHA256=70706B82331B4FE29167111033CDA19265A828461021E6B6359217F77D3C7AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:22.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5EEBFBCED083DBF7123549DE6A5E5F1,SHA256=94724DDF38E0765386978E15D39815CA57E50A7FA7953D24C74BA26A7E595172,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.583{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49893-false10.0.1.12-8000- 23542300x8000000000000000649708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:22.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24744B835DF00AF5DFA530B0D495E9E9,SHA256=E5D0F77CE878BDC2D4AC8ECCBB38D5791A342D98E082A91A0ACFF1A63D13E5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:22.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D8C7A72B7EF31FB8BD1A2C18ED77E9,SHA256=A44981AC26C921AAA5B891F9FA1A0D9D1149BB6F1254C2C7788D1541C5668F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.751{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49890-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.750{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49889-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.749{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49888-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.743{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49887-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000649712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:23.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14DF3B8AE8BA3C56E2A0231D6498079,SHA256=C4BF7EDEBD1CC5514FC32A106820535C1BCD3775CB4EF350BB2A3323A75CE1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:23.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F3BFF9E1330E7360ED872403A3D6B,SHA256=22E304794C2632B07B076A8188A790AA30EB44A0AF7A9302061DD4F23CAB03B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:23.571{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675B21841C2602D6925A089C3BDF01F7,SHA256=5E390AA7FC0CEB22A32A07F30C3A9E413B767217CE96FDF7FBD9CA851F42EE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:24.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EB11C6CC3DEE54A2A6018D28AC38F64,SHA256=78A910943FC6284E6A9F1F71898F4379D7B655F80E34CC88CE9C161DB6AD5F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:24.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3050590F589A9F270FEC2993F76D537B,SHA256=1A580FEF69F3113A8C753E4AD608B22D9AD19B17E1609B0A26CDDB3BBEFE9F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:24.587{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3FF953FFE9DA53762837AA293BA93E,SHA256=59384D596668604FA3FCA7F5068A8F9CF4CE4BE5B81405ABA42F7CA58833AFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:25.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B357D9825FE1466EFD2938E50404323,SHA256=10FEE4EE06E1D952E4F66A938ABF68D59FEB58D6B083A6B928DA2F4794613B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:25.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C8B64CB81AAEC11244F0DD1923C806,SHA256=E8490A2A18D7F1D936C79244FE6487E2A9985D7639021122F3363A90D3CEAE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:25.587{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC326EC5667EF2F095AF9AAB53E0B37E,SHA256=2E9EC0E053585D912CC6B46DCC9B3866B30CB6AB478014100703AED6C0B01218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:25.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF7D1EB8D2568754B448B7A4092FC2F7,SHA256=42F1DE87E11B17229501FE4914AB7930063E2C39268B2E0AC7C6A6C8FA15DFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:25.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F686622CB35EB4693ACD5FB0998B1BDC,SHA256=3ACA030B34B93AF3CB36F34DA881930FDC2445C58FD3074965A631867E3A67B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:26.602{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B564CE808ED67FC095EAA20B09C957,SHA256=DB9869342F0C0550BB28B5A6A970CFA982546E4D0D44D0A78080B10D9DCCF84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:26.764{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379D3CA8089B8A7914AD54D05AC3F65F,SHA256=6C588054FC8FCBC3F075E570588AA8E1D5288CB2DAC02803BB8F54CBF0191222,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:22.916{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49775-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:27.618{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54ECD680BCFA796F57E8F3B68910AB4,SHA256=4DE0D206939733A066835B8ECC162B697C6768FFAF982D6B288BBB6BD5D311DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:27.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EDD41A8E992C28FC1EE2D07147E6E5,SHA256=A92385B8018906A4CB19DA2B0169913F4EE7BE73F8AD4F3C5F2A32B6AED5E29D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:22.645{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49894-false10.0.1.12-8000- 23542300x8000000000000000649718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:27.217{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60460DFDBFF2F7D2C4220430B3941FAC,SHA256=13415F3258BFBDD28AC2116473439ED513665C9A3049D6C24573CA5811DA432C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:28.812{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0633AA04E1278580C4B3E09002253126,SHA256=0501D840E5072DB7EA2ACFBE33E094B6C8AA90ED893C9154441574DF51A80867,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000595537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.790{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000595536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.790{97C2ED32-772F-60B6-0B00-00000000C501}6285084C:\Windows\system32\lsass.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.790{97C2ED32-772F-60B6-0B00-00000000C501}6285084C:\Windows\system32\lsass.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.774{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.774{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-5058-00000000C501}5168C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-5058-00000000C501}5168C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-DED8-60B8-5058-00000000C501}51683792C:\Windows\system32\conhost.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-DED8-60B8-5058-00000000C501}5168C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-9D3E-60B6-7A08-00000000C501}33646096C:\Windows\system32\ServerManager.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000595519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.746{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000595518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.696{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=723CCC480A1FF2C3B5862534D1B82F4F,SHA256=18ED9BB6E403BB0E29D454C33FDF00563D3FE10075E64D6AA154734362C6A5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.649{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729B0E822C4E6F51211B7BDDD7BD257D,SHA256=012CA33405F324B376CC9559CD42F0217307A00F1DFAEFB0BFB18D3830BEF6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:28.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7296B1956D20E595609E5C9502447A83,SHA256=D8F3059A0294930A0583D63035399277ED1F1BE25E56596E4406DF15611A7FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF7D1EB8D2568754B448B7A4092FC2F7,SHA256=42F1DE87E11B17229501FE4914AB7930063E2C39268B2E0AC7C6A6C8FA15DFF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58267FC029525A660CBD7F7DD68DBBA3,SHA256=5754DDA688749EF9BA8124AF320592321CA641196F8F3DF72333123BCA56B724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C0ABA980AD3154A9CA1153FF8929F80,SHA256=42D2B3847F90BD4E8A0E1EB5B374BC0DDD73DFA6DB1F4C1772BD1C0D86DD4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.649{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA2276895113DEA553532B8AE4A8A5A,SHA256=3DDAAA45DFEA1896C5B7E04AC31F6DBB4E1CA5263C61A742D30CC54AC3515C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:29.843{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC03DA19AFEB9D52CC390DBAADBAB47,SHA256=8A310D0C9FD5B7BF6B133A692B245E143ECBCEE5842A1C9BAEE36C335BBDA466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:29.296{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9607DEB07A6981244B94652E8BC36FE,SHA256=B9B81FC4C6ADD7DF96B490C770CBAE079B9D5A6A7E47401B8A0A130515163D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:30.665{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D30B443BD9F5C2009132184B3153F0,SHA256=8BDEA285B360250E6E548DE64BA8E6DCB4CFB8FEAEED24DBD60249701DBF21AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:30.843{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110819D769C9F03D54A0D2DA92559253,SHA256=D5116485739DD66C3567AE3DF054B024053BB88C85CD7537D2EA24FC31BC99B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:27.630{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49776-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000595552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:27.630{00000000-0000-0000-0000-000000000000}2484<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49776-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000649725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:30.452{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A796C27D7641F734B57841F30F0A4CB8,SHA256=1B4D0164D37D715BCE19AF28A79ED5381FFBD816484AD26F9D51FF0ECDFE05E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:31.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A6BD7A6F460B77FA60DE24C55B890F,SHA256=7B1F67369069EA073475A5634342BEEA795CEE01B760C50F5B739EFFAEF5DC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:31.682{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70808B7DAD8D0A2F53E34276CB8EAE9E,SHA256=715F035C8A9E5468C405D5758A7B622FD7D12E46C9A0EE597910CA74FF5AFA4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.041{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49777-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000649729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:27.693{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49895-false10.0.1.12-8000- 23542300x8000000000000000649728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:31.749{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C26E394378E648C786C0FB9D454902C,SHA256=617045491567D144CE9230C0E7345303EB142B177A457D0FB34790072027D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:31.515{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECB99CA372BA70F2B06486EB96462DB9,SHA256=2B1E288CF8993ED23B3E11E696376A02C7BEC50D7D6971076D8DAD10CD67FFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595558Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:32.726{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBB88E69CE9814DE71B1B81ADA73E83,SHA256=E5CE2DF84A9084D2B1D7A7603F9C325E6E8F603AA9699D1DFCC0DDA8D9751FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:32.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1549BC4939EC9EFB134B9E38AF36A6AF,SHA256=012BB0547E01640E44B1C303DC577AFCE60596BF51176D1B7FC80E6461B7DFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595559Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:33.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80753601505F92B23B04FED061920D6,SHA256=B7F5A85077C567300A970B92B0D87F9DB357EAEB4AD46822F3FBD4709521A2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:33.218{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEB81D6DFFA54DCA19C51C27B01CA9C,SHA256=E9896521E9239B95AEFA4E87131C2957850ECF842D4B8444A1128DA8372B3581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:33.124{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=341ED64E157C24ED11B701E40E5254D4,SHA256=908084E2EF636B0EFC871DE169C17B4F00CB37D3A7BA3F5E2844186D4DF320B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595560Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:34.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F014DFC830DEC7207C3A5E36B22F4A65,SHA256=E00D2A010ED7F2E0D24C777CCAC9E7124F6FAACE831F18D6A11E4FEB3963298D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:34.249{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D723F1B26BC36C492CB5DB343F290E7,SHA256=3147420D462219911418E959E16CC8C76C8A51AC2C365193775A91670FDDDFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:34.249{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D89B25173630D31DDE1971B37E28C6,SHA256=226F0692F7C22F2B5112D1034E027ACF70D4F9746BBDD623A5AD53DD558B6612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595561Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:35.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5387FDD25594C92F844E9A28B40DE661,SHA256=E7AE620A733E8D1E5E78FC48BC445FBFFB6BA1B0AA6B651DEF3236487AED02C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:35.390{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9821135E7F6FD1D058E1265F8E90B7F9,SHA256=12BDB4160977A7988168873B93B798F3758C4B49E2484ED51A657817899D13C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:35.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD42AC7D03945855FCFB50376E8EB6B,SHA256=8C04130C58667A99D006FCB39540058A655D3335C6F5DC4009D3E98318DA77A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595564Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:36.757{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131D0ECC2AD7762DFFDE361E3DC076F6,SHA256=E24E368D4D4E523D9DDAF24541FA035199289F790A32512977F820B10359C9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.528{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE98A66712C5C32A484F9AC2E91517C4,SHA256=33EB2F3E792A949150A5DDC11060E22F5F0FC56732EC3CF96C6D8DB16EC5C57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF724531BEE25B5C360F7EDC340E073,SHA256=95AD36F043A5DD0CFD80336A0DFF09230EB14A7A22912371652F8BBA8E75FD4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595563Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:33.917{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49778-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595562Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:36.135{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D603042E4D45D0FED1C4BEBFB01CFBA,SHA256=C79BB897656F4FE66005008576623C737C7238358F5EE86001DFBB1F494CFD74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.075{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.075{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.075{D419E45B-752F-60B6-0C00-00000000C401}8485444C:\Windows\system32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.059{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.059{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.059{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595565Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:37.773{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C8A6983FA7B9A445C6CCDF0EDE691E,SHA256=53548BFDB7C5FB985B8F11E49D4C18C0C03D4183ADAA6B944789ABECB9C2E2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:37.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D533AFEAFA21526513CBE2D71478876,SHA256=57B3BAE5E938A1069CF74E109D41926F41C9DFFCD4D8D6D086D0AE7042E0B272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:37.314{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BB58E042D7119356F3D3E6F7A85505,SHA256=599D9DBB54DCCF651E0104332B43655D47DC03BB32E9D403B3A03D154A76A700,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:32.709{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49896-false10.0.1.12-8000- 23542300x8000000000000000595566Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:38.773{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3B1EE6130B0D67F3D5F059D61D0CF4,SHA256=2741F9EED9CB8965C177959348A135D0015CCF09DBB669BC7E589662909ABF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:38.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7543116DF5BBC22E3BE3B23D31B166E2,SHA256=AD3C6A2947C1498AE70B95889BF9CADF6AC23E05E715C0048B2FCE190EDBD040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:38.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A430105AC1EC2E7EFDC1625BE3D8844,SHA256=98401064B24FBBCE37E314582B83A0FD1FB950D361CD78E8660E3F1C7E640C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595567Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:39.773{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D90D20E6787F9CCFE47C8FC94899ED,SHA256=2E90592AAA936E3D33268C766B60BB6F341E997C814B27F101AD008C2B120345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F793AFD9B32EA3AA491556389C0814D4,SHA256=57E8ABEC1D60099D2B240CD687312D624F595913E10556C92785215A1411D07F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595568Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:40.820{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429BF77951094AC41AF7DE03892D45ED,SHA256=9260B66E621722344B61E5ADE740F59DBA74A66B8F07D92D074F061CEFEDC449,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 13:53:40.471{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3762655356-77726385-4168110057-500\$I94TWRK.exe2021-06-03 13:53:40.471 23542300x8000000000000000649756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25EBF1C463A9AB5F9261CCED786FDB1,SHA256=D7A3D09CC51238CA15FEA92A07F589DC35A07B00185A85FD612FCD65C2ED379F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6549823A907235892E93B2EFD854CB98,SHA256=EA8594959586F65E8D3DDA08F3D5DFE3E24D06B281FFA82D82AF82356E4DBA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595569Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:41.851{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7FEE8C478904B3B76586044CAB041D,SHA256=D4C7B021C53AE88E3F8AF6FAD469C94ED5B260C86D8F00A51ACD455CDD69496C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.627{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59F042F6A6F201AAEE70BC34F5D4326,SHA256=CFE46764A8B1F0A33163FA4DBC055F26238C6D194E555C8EE0F58453E9A8A823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46C9C060A27BA53AE1F6BDB9114FCDB,SHA256=453F8343B09F1FDF06065F8A1E052A982BA4C3F1371D2D63B855A0F8F9701595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595573Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:42.851{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077BE2106317D378B87100B4893F9648,SHA256=0D7844018E9EC25E2480A18509040258BB01C7DE917ECAAA1D6DCB124548D47E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 13:53:42.939{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\SharpHound.exe2021-06-01 19:37:02.989 23542300x8000000000000000649767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:42.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4308C6CB2D2A41B9912F821203C0669D,SHA256=ED1BAC991D8A9B2DC1BEAF7E962C2BA89B75DC765C50A30672496878E190573E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:42.408{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9230D2807DEB0F0E09D58C65F7C7A4,SHA256=B34F58A79FC1B7C6580CCA123DED5EE9CA462B4C99E54E176CC0771087A8E683,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595572Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:39.868{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595571Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:42.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7EEEC4B9B1A444C5C80B2D952EAD1D5,SHA256=7D882D022613322725E252CA469447A8468710F4EE226BF808EFA13A1DBCA81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595570Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:42.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEE264DF364EEB2D583631BAB90420C6,SHA256=566100E718A8B6E2DA7ED2A4137A614C77A1D443E8356FF0FECDE92BB25660C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595574Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:43.898{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F764D0D3E8FCAAEBC863E08675A4352,SHA256=CED14CCD9687FE4E1245B6C9154D502316A2A68AA3B235DDF8E4F1FCF1B6416E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.924{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=018B6B14244801D9EA414A7A60A202BE,SHA256=4B59EF1016BAB307BBF8A084F29000C8A2F730A6561367098578AB1785CCD76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.424{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6390F98861D2CA25609E711CAD9E269F,SHA256=FE2221B4BAB6D76F4B148E81A288E978FFC79391BE443EAA622311A37DF01431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.424{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76AD99E0720FB19C61FC2899BFE68643,SHA256=D60DDF05DA7439622BF69496592AF8B576A4B81B7F6E17E8E683905BD26846D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:38.633{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49897-false10.0.1.12-8000- 23542300x8000000000000000595575Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:44.961{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA70028B3BC834002D5A8EC4B1F6AB8D,SHA256=F24B022E726B74526C54D02B03858C82B2B77C7AD627BF940CC587CB5ED9FFFE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.966{D419E45B-A18D-60B6-EF0A-00000000C401}3200raw.githubusercontent.com0::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000649777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.623{D419E45B-A18D-60B6-EF0A-00000000C401}3200github.com0::ffff:192.30.255.113;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:44.439{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A45D4EF34A76C18725552D9C0BBE112,SHA256=DB13AE19600D77F6FA38A86E669CE508B55DEC19C67806E2230A3F49E6C864C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.278{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49899-false185.199.108.133cdn-185-199-108-133.github.com443https 354300x8000000000000000649774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.936{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49898-false192.30.255.113lb-192-30-255-113-sea.github.com443https 354300x8000000000000000649773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.925{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local52417- 23542300x8000000000000000595576Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:45.976{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1B4F1C14ECE064883BF724D014E115,SHA256=3821520E11CF2060BE967CE0E7045E8D6D17379DBE43097539ADEFBBEA38BB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:45.455{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CA572086AFD10B60D5EFE52DACADBB,SHA256=F8B28D3BFBCE954AFC5D4CE0A0369C2A41CA4C2D9AAFAB546CBA89D7B08B6037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:45.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D808AB550BDEB3F9703994BBE184F961,SHA256=98E7D09EE0592D4BB64A1ED5834518477EF24DED334D6EC8494AA263BBE9DBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595577Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:46.992{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B76FFF4E2EAF83AC738B87D97C826E,SHA256=D94EAE7E93B5F876A4A2E99A9B482CF7947CB7339B9C847BE940B42863C36A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224CF914855EDFD244F1E02F0AC98A1B,SHA256=27DFF18C26220F2AD8D9583988125D6622C53E6F918F7ECE78D124F998AFF8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B902007D66A77DA1792BBBCBBCB0FA6B,SHA256=7681CADE6D66EB51D6065525B11E30AAF0E73BE0566661A29C3C1342D214F365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.517{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.517{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.517{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:47.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30DDCB258B32727F0B3AF7495E918AD,SHA256=78A1F883D9C8943FEA24AEE2F208C6494C7300F51180284515E86428BD47AAE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595580Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:45.040{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49780-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595579Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:47.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E818E1BDFD3B4EE6CFDFC9C3A9649A67,SHA256=11014B93EF766B4280D0529B03033DBA13E4337A52136DC5609C0426B51ACE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595578Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:47.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7EEEC4B9B1A444C5C80B2D952EAD1D5,SHA256=7D882D022613322725E252CA469447A8468710F4EE226BF808EFA13A1DBCA81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:47.502{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C13F12310D2BD51D1D241956D0230B34,SHA256=BAE0E25E8063F85854666F044F2B132E237CD7C811BE3FCA19153BD65FC52EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:47.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=998CC743AC0D3764E389F718FF86F5A2,SHA256=FE6599D505CEF793C829D49CFDE977843B6536F408344006224A59C84537A2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:48.956{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1502225B8D4295F90574579516FE7138,SHA256=5AAD4403AF6C1A0DC8795A7EB71EB1E02D2746B71D3E882F364E2B07D2724CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:48.830{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE18A623D04BD697E11932869D39FC5A,SHA256=F42249425F80049CFF382E76B9B8954407DE11B5123F5A1D7B491E0D83C732CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595584Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.289{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595583Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.289{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595582Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.289{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595581Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.023{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4617EBB1A4EFF04F2218B9A35AC7BF52,SHA256=604ACC0B2283FFBEA9213F587550D1E88214CB4CF008CBBEF9FACDF0D08BC2E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.758{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49910-false10.0.1.12-8000- 23542300x8000000000000000649792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:49.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CAB44A6BFA0FB5FB3B166F12A00C5B,SHA256=0319EB66AB6E11EA809F7B0D6BAAC8237D00A8F46054F237E29DDBC53951186C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595593Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595592Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595591Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595590Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595589Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595588Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595587Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595586Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.571{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595585Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2049C26A3322A47334A87C76267D4966,SHA256=BFF268374460A799EAC4E32AE38DB7C6B3E636CDED3038D8294C371641A4C5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:50.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBB59DF6C05F7EDC0B3C44734E0309BB,SHA256=AE1318E5251E46E2F17676FCB6B52C20D6BE423FC0E77C937007AD3A56162DB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595612Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595611Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595610Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595609Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595608Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595607Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595606Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595605Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.821{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595604Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.586{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E818E1BDFD3B4EE6CFDFC9C3A9649A67,SHA256=11014B93EF766B4280D0529B03033DBA13E4337A52136DC5609C0426B51ACE6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595603Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.351{97C2ED32-DEEE-60B8-5258-00000000C501}40325276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595602Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.226{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595601Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.210{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595600Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595599Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595598Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595597Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595596Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595595Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.196{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595594Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBB08C21AD7361475263665934C40CC,SHA256=AA2C08974DCCC370B0106C8DFDE0CEFB75287D5752C9B6E9FF2B39746D509377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396A7AC154836A7E8AE2ADCBACCF3B9B,SHA256=AD08F75E3E7ED087B3ADBB92B6ECE75EF64D029CEF5A69865CD32304BA17E748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.095{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF27BCC6EBC92C084D4C4B79415A0E45,SHA256=92F3E99BCDF33EF44A29E7FB53DD079FAF2A90C371AE2FD11D7F84F82E36CB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595622Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.851{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77CCF3B1AC2374BCFD61A34B7D37927B,SHA256=8D7950670DABB23A3F683B3778843EC08057BD91451674417755C6D8028BD6B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595621Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595620Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595619Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595618Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595617Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595616Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595615Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595614Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595613Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B289982250A305BFA99AB579092FDB9,SHA256=3FD3A933AD8ABD640415D881AFBA55189342DEFB19F2439390F4D382A41E34B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.908{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-DEF0-60B8-804E-00000000C401}47602112C:\Windows\system32\cmd.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.849{D419E45B-DEF0-60B8-814E-00000000C401}1084C:\Temp\SharpHound.exe3.0.0.0SharpHoundSharpHound-SharpHound.exec:\temp\sharphound.exe --CollectionMethod allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=63D22AE0568B760B5E3AABB915313E44,SHA256=61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe --CollectionMethod all 10341000x8000000000000000649805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.828{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe --CollectionMethod allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000649797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.236{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31611E7F5C0F5684DA336A69360A61A2,SHA256=638530F9D0D6ED98A523BEA7E7AE44E20657F21B40B1C19F41183225DFD29FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769996E144140B17A7563F2F5E047923,SHA256=9D9C20E747BE4ADDDD47036B2280E82BFC8E9BD12B25A91D2001C532288482AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595641Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.960{97C2ED32-DEF0-60B8-5658-00000000C501}47402108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595640Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595639Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595638Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595637Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595636Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595635Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595634Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595633Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000595632Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.289{97C2ED32-DEF0-60B8-5558-00000000C501}46165144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595631Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595630Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595629Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595628Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595627Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595626Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595625Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595624Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595623Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A1BD541035E64E6CFB22A196F18007,SHA256=FBA7D811490D4CFC87EDE82E0F363EAC6844A1BFE44FBC965D9A83BB537F03EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595653Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.899{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49781-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595652Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.632{97C2ED32-DEF1-60B8-5758-00000000C501}56963140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595651Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595650Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595649Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595648Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595647Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595646Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595645Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595644Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.494{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595643Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.117{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=859E4DFCC7EFE0D2564A81B27B8AA3DD,SHA256=FF88F69AE7EAB9607C727EBAAFE45EC7A2884F370A991613FFBAE1679FA7040B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595642Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF2D0728003F7F3176643D771731068,SHA256=EA0D03FFE182EE7EA5F91D22253C2096B9EA92942C8D575D1E96249D2FF9F8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C8DBD3FCD18B2C74AF8A40C1F5ED53CE,SHA256=BAEA2A9C95EE66796A319AF8B2991CA167F024FFC315BC78B5BF5CC3DDFB5541,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000649827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-DEF0-60B8-814E-00000000C401}1084C:\Temp\SharpHound.exeC:\Windows\SysWOW64\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=B7E2FC98A721415DE1B2A77D9A7B95ED,SHA256=CA6EE939BAD0EF32A1A62D1EA6D7D29006889FF6C4626650F9CD38FD6C27B87D,IMPHASH=F041BC2D00F8EE54536427C63882D791trueMicrosoft WindowsValid 10341000x8000000000000000649826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.705{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.674{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.674{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24ED6F0EFA4B5C48E302138C84BDDB57,SHA256=D46421AEFC0DC30FE19B7E44490B1315513BEB1675EA9AA4CBE5B8494EC4FC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.127{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E1B05EC8E2D9BEBF796DDA9795B90B,SHA256=12B97E85DD201A884B4F2C9F84E96A3A0A5466F39B2DAC8509AB1B9DF0DB60A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595655Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:54.539{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7359B4758DA65A817F39A99405F869AC,SHA256=4955FC2EDB7A20481A4C9CB041FEA97F949ED6C905D10C85D4ABD14D0BE61249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595654Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:54.132{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50E5DDD43E09CE225901565BC511959,SHA256=83A9B9208F24B288AF9DBCE1B6D57014C4B5D1F5C1DCD508370CF059EEABACA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=621707C55D6927CA68C3837AED424E06,SHA256=F7645BA1F14225034ED12CF2E5E7475F06C7FF4EE8DCC2391659D0ABEB2583DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.736{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.736{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=8587E3632B61451FF6EAE643AE6A3294,SHA256=EB31C6EB0B40050881C3EF1B243774ED34957BF95AFD98F6F09767A2505BDFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_users.jsonMD5=7797A36FAC4DA6BAE3B36D8D45AC7493,SHA256=7888A47D021E069D98BBEEEF8BE70D910CE9980D130DCEC0923710C588CA1F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_groups.jsonMD5=65CA7A88725EFED6C7E7A257BBE2CA5D,SHA256=8EB4E54312A01786ED7D56BAD602660DABDEF2367193B959A44198D30917E7CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.689{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_BloodHound.zip2021-06-03 13:53:54.689 22542200x8000000000000000649856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.791{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000649854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.791{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000649852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.791{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000649849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.035{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 22542200x8000000000000000649848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.947{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.674{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_computers.json2021-06-03 13:53:54.658 11241100x8000000000000000649845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_domains.json2021-06-03 13:53:54.658 11241100x8000000000000000649844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_ous.json2021-06-03 13:53:54.658 11241100x8000000000000000649843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_users.json2021-06-03 13:53:54.658 11241100x8000000000000000649842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_gpos.json2021-06-03 13:53:54.658 10341000x8000000000000000649841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.595{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_groups.json2021-06-03 13:53:54.595 354300x8000000000000000649830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:49.742{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49911-false10.0.1.12-8000- 23542300x8000000000000000649829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.158{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BC20427A10D2184C5409D67E906143,SHA256=783C0AE87A12E7D1C20E6634C083481248332E8B862858917D3BA04764CDF22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE8326FA4532FD5A38E954E92540D2,SHA256=B40CD093E44A8BD04E32513EC986B84F28AB331E21F756D3A9E6CB4F08D19436,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.167{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49930-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.167{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49930-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.163{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49929-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.163{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49929-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.155{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49928-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.154{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49927-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.154{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49926-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.149{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49925-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.140{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49924-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.140{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49923-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.140{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49923-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000649892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=71230FE7554BD30C28A4A92FD44CBF9F,SHA256=A1EDBD572E91BAA4841056AC944532545EB88198ECB14456055038F088AC76D1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.836{00000000-0000-0000-0000-000000000000}1084WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;<unknown process> 22542200x8000000000000000649890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.792{00000000-0000-0000-0000-000000000000}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;<unknown process> 354300x8000000000000000649889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49922-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49921-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49922-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49921-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.097{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49920-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.097{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49920-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49919-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-udptruefalse127.0.0.1-52418-false127.0.0.1-52418- 354300x8000000000000000649881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49918-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49917-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49917-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49916-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49915-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49914-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49915-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49914-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.339{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49913-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.339{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49913-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.241{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49912-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.241{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49912-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF73824779311CCCB4C9E97DE5A8D22F,SHA256=59F4FC9D48B3E29FBAFAA20B1CEC5B5AC40F9A23B2254EEE12C8C5032807AB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.283{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23FA1A7C640C0D800FD0B28550EDB0B0,SHA256=24C1539C0D4033E45E9C7E2677EBC0CB0E1323BBD777B5479512B51FFC99B7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.221{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0679C1DE653159E3906EE484D78CD685,SHA256=89B8B8FBE7996FA076F21C32E0EDDDE4B4E63E6427C21CB548345A738F665224,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595658Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.443{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49924-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595657Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:55.601{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66AA61AA67849658468467762ACAE777,SHA256=BCA34BF619A8519B7701A05794E51DD631193A764466A5619D32DFB9993C74B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595656Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:55.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE83475BC7F4E7DD08CBB686D36F1A74,SHA256=8C0E4A2D1943E28F792833DE6A783E84C13307017F4AE7AFD543E498F53DB3C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.392{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F644B61A69E89BA94336FD0A5583242,SHA256=7747F2EB9A23C23D4C397BC4564B7E7558174AEC03061AAFAF68A161C240BAEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49919-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49918-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49916-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3735E0E51092868FCAE36C7469EF1EB,SHA256=6CF4018AF1287715C26B745BCBA2A9F4FC5A13F6F738640904E4A17B16101B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595663Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.458{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49928-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595662Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.457{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49927-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595661Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.456{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49926-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595660Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.452{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49925-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595659Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:56.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7B869EC7BB739B018C5622FC5800F9,SHA256=14E22894E194B94D394A19B8B509E15C216F7DA6BB7437E0447D75A8959E5609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=460C760B62FE70D0D55978940FC63817,SHA256=07BAEBAD3440A19C4B9E388C5D2D3AD384CADA1DA1DBCA550B130B182B68B6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CD54D94B81A06C5EC7FB0C4D90D217,SHA256=0429DC16D073CD5BDF545531C5E0586197575E956485E788DE4968F1A8C3863E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595665Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:57.293{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595664Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:57.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D21606D46B681933E3AC4F7ABB10663,SHA256=563070C643D6A44C24B918BEF6700191619294764DBA9724AB917FB9DDE3FEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.985{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-DEF6-60B8-824E-00000000C401}53446396C:\Windows\system32\cmd.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.980{D419E45B-DEF6-60B8-834E-00000000C401}6968C:\Temp\SharpHound.exe3.0.0.0SharpHoundSharpHound-SharpHound.exec:\temp\sharphound.exe -c allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=63D22AE0568B760B5E3AABB915313E44,SHA256=61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe -c all 10341000x8000000000000000649921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.962{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe -c allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000649913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B36974C06837A477B3D393BF8F21B0,SHA256=8A6376679CEFFA2591D8B545AEF0D7C39AFC2C05884C7470CA9E6DEFFD3765A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.532{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2A794D9189CE8E2F14FF2449043059,SHA256=B274AAC6D19B64A7A8A70B2CA18F2B14C22B1B5BA12A366D81B44B8F8A5DC47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595667Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:58.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E70C18B386AECB73C8F11AC46DE48951,SHA256=E95B54B649316F0A6F5FBC2D8713B7D3B4447B3690E8343115305B0DF0BCE4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595666Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:58.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF80B8BF41618622865894ED2F7B925,SHA256=02C5D4D6E39F2660FCB83048943602C62FF8DFA1E053A4BEF8A707B2370E964A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.814{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.814{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=0D30DFB54488D59E2B5B93E04E43134C,SHA256=C0A9ADC14C4C1D34A5502CA9D21C4DE4CF6366C1BD92D0B295E66AECEB068969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_users.jsonMD5=3E9BF373CFDF495E48CB3AF1A6845963,SHA256=60E6A1128967EE05C94EA16086FBF591FF2E4EB08005D5ACBBE1B4AE051B4B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.782{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_groups.jsonMD5=1B97C2394DE6069C7735509577B0BFFD,SHA256=0E010B488DA453E57144D0959FE672A3F8F384D9D796BF7AA43C8688A2685B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D06B11B9DB9183154CD524479082A73,SHA256=C3257BD17A70E17D2F76D87886C923F0875D531D70C775734272A108017F54A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EEFF8F725107B7DE5FD2941EF0CA18,SHA256=78DB990EE7EAB6DD27FE4D59C3A9BB1FCBCFA6990C88DEC593B4A9F804A5D033,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.767{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_BloodHound.zip2021-06-03 13:53:59.767 11241100x8000000000000000649952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.735{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_computers.json2021-06-03 13:53:59.735 11241100x8000000000000000649951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.735{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_domains.json2021-06-03 13:53:59.735 11241100x8000000000000000649950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.720{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_ous.json2021-06-03 13:53:59.720 11241100x8000000000000000649949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.720{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_users.json2021-06-03 13:53:59.720 11241100x8000000000000000649948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.720{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_gpos.json2021-06-03 13:53:59.720 10341000x8000000000000000649947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.679{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49931-false10.0.1.12-8000- 11241100x8000000000000000649942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.673{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_groups.json2021-06-03 13:53:59.673 354300x8000000000000000595670Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:56.888{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49783-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000595669Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:56.107{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595668Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:59.199{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03394D555B2BE7AD267A131D504B5FBA,SHA256=8017FD5DBE8693E6CD2AD5AE5781388052D2EE95E8BFD1DAF1972B3343CB1C12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000649935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.173{D419E45B-DEF6-60B8-834E-00000000C401}6968C:\Temp\SharpHound.exeC:\Windows\SysWOW64\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=B7E2FC98A721415DE1B2A77D9A7B95ED,SHA256=CA6EE939BAD0EF32A1A62D1EA6D7D29006889FF6C4626650F9CD38FD6C27B87D,IMPHASH=F041BC2D00F8EE54536427C63882D791trueMicrosoft WindowsValid 10341000x8000000000000000649934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.173{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.173{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.158{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.158{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.158{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BCE5FA9891CDDA93E8C0819187665BB,SHA256=AEC4C12600FDF572438A30E70BB2C45B299DB57EF47BDC880CC7EC1F5EF25662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49741B85069759EF8AA4AC1DAB103636,SHA256=FA588C4DC57A3DDD7EA76B3C8B6CB0F5719827B2F7BA794D0EDA7CF131D6F300,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49942-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49942-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49941-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49940-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49939-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49939-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49938-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49938-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49936-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49937-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49936-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49937-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49935-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49935-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49934-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{00000000-0000-0000-0000-000000000000}6968<unknown process>-udptruefalse127.0.0.1-52419-false127.0.0.1-52419- 354300x8000000000000000649970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.721{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49933-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.720{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49933-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.700{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49932-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.700{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49932-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000595672Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:00.683{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46EAB8EBEC91CE572CFE85D209CFE115,SHA256=869FF1EECBBD0987C9A20D43F54A5D1A6E03CA53BA4E8B3C1C940491606FC736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595671Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:00.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29644F7396DDA7FE049CEB5213909BF,SHA256=20CD1AFC019D561BE8B02ACC8A293F9ECF5CCED2C69E3520B71EF08E013D67D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.251{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.398{00000000-0000-0000-0000-000000000000}6968win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;<unknown process> 23542300x8000000000000000649964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.001{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47DBF9BEC62AEE32447881BE616CA701,SHA256=9C93CCABD187F802A60CD002BAB19CCFA801B76A8027547A2989824E049F2641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.907{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C01C3B4F56D1DF73C95FE977826D08CB,SHA256=188AF05850163778FC1766F6E95A102DEB8D53FAB02F9BDCD40E0794FDA54C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49946-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49945-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49945-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.204{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49944-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.204{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49943-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.204{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49943-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000649993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBB14B7DC468B6D0D8C9A3A1489D3BC,SHA256=E5874D646BAD6E4DB19796BF50C6B6D99AC431DF461B1134200C9616C287F0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595675Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:01.902{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1412EC00CA288694710DBFA5D9CC1C74,SHA256=E12BF2902B53385CC8421F63E226809C91D41580E3D34816E821AE2D91B8B3F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595674Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:58.507{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49944-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595673Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:01.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29D1C5F5DC6EC12B1935007E9D72320,SHA256=5B8029DCA6D33D60C075BB99204F52F6AC75F78DD7E9A79467A78C982AAE1394,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49941-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49940-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49934-false10.0.1.14win-dc-233.attackrange.local389ldap 22542200x8000000000000000649989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.899{00000000-0000-0000-0000-000000000000}6968WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;<unknown process> 23542300x8000000000000000650003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F923B4A1D4DE39F4B85706A2A0B9E1,SHA256=F4F17785123BC96BDABE068EFC7FB281704878C402F720F81741C775ADBAC949,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.757{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49947-false10.0.1.12-8089- 23542300x8000000000000000595676Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:02.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFB09EE46FFAA08FA454BC81F241FAA,SHA256=CDF8CE5A127467A11BF990229D562E6E006725560C65FC1C98DA7CEE5B3A4091,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49946-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000650005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.845{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C979C92AACFBF498B81E447CE6FD8E6F,SHA256=5F299B26F186569F4C2554849BA30520604D82224C9A16D562815593FCA3E693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595677Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:03.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24BEBDD6CB1C4F16B8A9030EF85B9E6,SHA256=31106AECDB4AC42984C44444976EA6CA70CDD58E7B1FA6CF1DF78286C4370622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.048{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BDDEDEF0119189770D2EED3F32294FD,SHA256=68FCC5C3B6B53A7A13C56C192DA72830C6E647C957EF8B47D0C27269D05FAF0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.741{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49948-false10.0.1.12-8000- 23542300x8000000000000000650007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:04.860{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF16BF4E0FF2B3777BDF97A7957532AE,SHA256=8F3EC8D8298F947555B550E83001DEBC41FB67B24B01C32E927163232618CC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:04.277{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B9B5C92B00E03611DB47930CEF4BBF,SHA256=DB7A9A3EF364CB9BB96EC5106DEC3C62DFC1A177A055B9980E98F7C8FD6EB909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:04.189{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCF0159D53FF8DD7237567979BAB5784,SHA256=59700530A9560B6A2B7645E92DE9EAD991BBB0A5C1AF588F0A469183B6EFB3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595678Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:04.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD9573F082139D05AE1039080D30687,SHA256=092D4893863C82777DF1E1A27A7393156F868D5E827B18728F9BE3FA366F850E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.570{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49949-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.570{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49949-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000650011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.876{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B388847436CC81ED73E302B1E713D2,SHA256=0E445C60BEF8E6C059DE2A4252DD1CE9E28C1E073D69BF0C5083173E1775ABE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:05.324{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5DC49A4EDC1D329D22DFE9B488B414,SHA256=3A4FF81CBB134F189DE62DA71073E7C4A939D90EB84F6C21AA344C5D26F36AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.532{D419E45B-752D-60B6-0B00-00000000C401}6324968C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000650009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.329{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=465C4CA8919077A38B7B7DBF0220B3F9,SHA256=97D7C35F0848E398B3D0AAD117030B1850C0CFEA1235DBF719C3C3A8956E37C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:01.919{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000650021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.058{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49952-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.058{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49952-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.955{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49951-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.955{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49951-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.948{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49950-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.948{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49950-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000650015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:06.923{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11ADBE18E83D4056CE0174566E5ABBC6,SHA256=F356571AAFAF2E838E21D272AC84CE614095343BB97FBD260575E00082A76490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:06.340{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AEDB05404E5F7BC7C511BB8483538E,SHA256=FDD871F854A7E74854B8963F2F061D6FF3D06F72F2AF3FFEBBE97F1D903A747A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:06.579{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DEFAB417FC92F59053BD2B0DDB2A532,SHA256=64AA61C9D7BE06FAA549836EA8B40F14CA60F969DBB08EE5F6A0C7CEF5C08EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:07.355{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B2BE88EB5B1A1D210A7E45F9579EDB,SHA256=6E43E1DD40D2FFCD62A2D4DAF4260E403F61D1ECB54CC45CC406FE6931A9CCBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:08.386{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F7C17540E8ED29EE65486D5C2D4A82,SHA256=6369C8A79F389F9614FD3C2BCBDAD0901308B732C60A5B9F714BE95DC1B7EBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.079{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93E6F87BF4574C77F92A40614BEFF697,SHA256=7D0D902229C61BCE9FCC5C255135FB0DEEDAFD97402E856CF6DD2BF498DC1695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.079{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A23E93F6DC5C0661F8A90DC9E6CBE2,SHA256=E4A923F41303ECBE9B3F82640CFA22F9AB483F93CCDC811BF819AE392D47562E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.386{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF154313F298064656CD4A2101BBCC4,SHA256=C8A6408C6CFA7EE1CA891A6A3AE1A2150F22695395ABFE0FADCC901016D357A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.532{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.532{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.220{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89C0385A564E71EDF565547BD425CBA2,SHA256=822BBB29129C5C479FB11A5E8D918FF8497DCB3EA1DDDBDDE3F6227300F7A5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F638C83D41C7C5DCA36D48B4BA82F3C2,SHA256=C2F2BB739CB6F38A2E77198FC5D32B03C9A877B0305D98D12C3D45BA37FF819C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:10.402{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025807E0CE9DDF0EF823D4EB508BF458,SHA256=5EA491134CF6830C7C2ECB79F4AF167E70A799F9263DECAA0C71BCAD28F693C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000650049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-DF02-60B8-844E-00000000C401}2400C:\Temp\notsharph.exeC:\Windows\SysWOW64\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=B7E2FC98A721415DE1B2A77D9A7B95ED,SHA256=CA6EE939BAD0EF32A1A62D1EA6D7D29006889FF6C4626650F9CD38FD6C27B87D,IMPHASH=F041BC2D00F8EE54536427C63882D791trueMicrosoft WindowsValid 10341000x8000000000000000650048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.485{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.485{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.485{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.470{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.470{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547C0C6F8F3CDD9BDAD7D2D7F9EE51DB,SHA256=946D34548A08D8F77147BD8D9F5C29F81D530086A33DF2D6066B48092C8ECD87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000650035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.267{D419E45B-DF02-60B8-844E-00000000C401}2400C:\Temp\notsharph.exe3.0.0.0SharpHoundSharpHound-SharpHound.exe"C:\temp\notsharph.exe" --CollectionMethod allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=63D22AE0568B760B5E3AABB915313E44,SHA256=61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000650034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 13:54:10.251{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\notsharph.exe2021-06-03 13:54:10.251 23542300x8000000000000000650033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CAAAA20258E368D5AA1893F66D059E,SHA256=17DDFFDE5D731A38C64D0C17861D4E0D4576584B9ED04164C89A8B65A00ECF98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:07.950{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:10.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C784145502D76C2BC34B13DE35FCBDE5,SHA256=4BD29AEA7375A50F4E4E47C894D706D1D01D7FCECE1DA2D874FA6D9F2C4A90D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:10.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7050362018F511243C860FD2BEE4DD5,SHA256=80629BC76FA2BC33D14FA03977A0E0DB7F28FAFBD1A0736CD272A00891D945E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.772{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49953-false10.0.1.12-8000- 354300x8000000000000000650088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.040{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49955-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.040{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49955-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.015{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49954-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.015{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49954-false10.0.1.14win-dc-233.attackrange.local389ldap 22542200x8000000000000000650084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.715{00000000-0000-0000-0000-000000000000}2400win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;<unknown process> 23542300x8000000000000000650083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6210B7C7BBC3717BF2209B44C7A7612,SHA256=36482EB9ACAC55BB3B8D7A144A02ECB98CB7C59F211615EEAE1C980E81216A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CF78AE2449BB666CD11A5B5FD50BE3,SHA256=80B6580BC2A8579796D5CA52776B882F3086A2C7D7F935F646D043BAB2CFA013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA8646C827E430AD84DA17DBD3A996E4,SHA256=E949D4F5DBFC03D0A1A30280583A9B711483A528BF3690CE47D04D6C9B25AC90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.157{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000650079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.157{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=26BDB80E12ED00E1E636BC404FCF8889,SHA256=BBE9BBECF696B85D7601BA69DBE6CC3BE56CBB4166E4583BB4F1BCA1A04F8FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:11.824{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C784145502D76C2BC34B13DE35FCBDE5,SHA256=4BD29AEA7375A50F4E4E47C894D706D1D01D7FCECE1DA2D874FA6D9F2C4A90D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:11.402{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145BAC3573CD818A5FD44EEADCB71017,SHA256=F696EC5358921465C1C92ADD72D38BD17BBA8C4B26543E585C4A5AFCADA95FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_users.jsonMD5=3E9BF373CFDF495E48CB3AF1A6845963,SHA256=60E6A1128967EE05C94EA16086FBF591FF2E4EB08005D5ACBBE1B4AE051B4B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.126{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_groups.jsonMD5=03438CCBE4C4BB90D4E8E43FE45BE025,SHA256=971074EC0F76784F2622CE935A865136AAB34C36A7DC4646F22F9CC2A873CCFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.110{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_BloodHound.zip2021-06-03 13:54:11.110 11241100x8000000000000000650071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_computers.json2021-06-03 13:54:11.079 11241100x8000000000000000650070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_domains.json2021-06-03 13:54:11.079 11241100x8000000000000000650069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_ous.json2021-06-03 13:54:11.079 11241100x8000000000000000650068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_users.json2021-06-03 13:54:11.079 11241100x8000000000000000650067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.064{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_gpos.json2021-06-03 13:54:11.064 10341000x8000000000000000650066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.064{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.064{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.064{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.032{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.032{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.032{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000650056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.017{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_groups.json2021-06-03 13:54:11.017 23542300x8000000000000000595697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:12.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052D90A57C375753729C9D43A6DF1AA8,SHA256=7A13453EFD086149CF4BA1886242AAA3AA03B5E01080C6F3FF4307B887D14F12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49957-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49958-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.512{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49956-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000650107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:12.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FD376A6A7A7FCFE017EE6B6822FF359,SHA256=BA3791C112C3C9949FE51E87C6B076DADBF40C93A26D60D01E1E77DF411CED86,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000650106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.241{00000000-0000-0000-0000-000000000000}2400WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;<unknown process> 23542300x8000000000000000650105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:12.173{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8B4D4F17D976F1CBCD8E8D05E4B1E7,SHA256=18E3007BA8DCCBEB5A92298EA8E8D307BFDB45B33E2F63752224DE75709AAE8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.517{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49965-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.517{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49965-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.516{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49963-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.516{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49963-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.515{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49962-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.515{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49962-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49961-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49961-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-udptruefalse127.0.0.1-52420-false127.0.0.1-52420- 354300x8000000000000000650095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49960-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49959-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49957-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49958-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49960-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49959-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.513{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49956-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000595696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.896{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49973-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.894{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49972-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.894{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49971-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.860{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49968-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.848{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49967-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:13.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85D1C996B439CDE9A78BB2465C1C392,SHA256=46D504335632AA1450257E7068F921C0BB5456ED4771BB85E83CB1468FAA87A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:13.907{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787448969D794837FFDC61504A90182F,SHA256=0EA4F16D31C6905B2A2E1736777FBD48C71A58111C39A8278B3319345BF31A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:13.204{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9D268244164F00033E3838117950D3,SHA256=24FEE2016A66EC67BF624EDC78534B99EE854C9264CB794A017197F66B0B21AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.593{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49973-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.591{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49972-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.591{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49971-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.579{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49970-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.579{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49970-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.576{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49969-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.576{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49969-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.557{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49968-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.546{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49967-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.545{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49966-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.545{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49966-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000595699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:14.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B88C07183AF15543837AEB078FD40E,SHA256=1D54D061C286113EEC58B0DA4C923D7FA3C13A41CEB10D27915830984FD45307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.235{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D4F684DA42F39BB211101535D8295B,SHA256=0E8210CDED2C57636BC10A93F393CD79AF08BA310F5D88A7E4FC7E0D81B6DF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:15.511{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491B7EE58288FB4492E41FAD4CC53B6C,SHA256=7BB0B68806DCD4C473191C67D6E55A66E74D880DD4A204A0E26FC72E408466BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.861{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.485{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591F8840D4E8B377C65F40AFC0B8ECDE,SHA256=A2FD362D8887CCDA9E064E7A41DF360676C2C0F5F09B90A5BAA672CB09212AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.470{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568214C028E4964DAD8BCF175C4CD264,SHA256=2D1EE9D9C7467D28E57E3A782C2F776A0DE67549949D5B6C579F60A2B54FBB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.470{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF92AAC12F825C1088A873E996D1EA83,SHA256=B453D27BCDF495FB5B234D3D29B52B8652CFCAEBC8EE7599650FB94C637079E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.345{D419E45B-DF07-60B8-854E-00000000C401}62042716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:15.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=851DC86BD49F9E69B698E24BEAFD3479,SHA256=9F2CD3F325AC2B7057D4B6667CFA2D241798362EA6B9C4B80DFFA0ABF63096F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.189{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.174{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:16.521{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EDA96BDA8B5FA5F25D84AA7B047A5F,SHA256=6F8CB302A05699C6BDD36504580557502108BEA13FBBE7D0AC50497904ABB6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38BA1C6A8480D8A7DA10697D6ECAAA37,SHA256=2A7D45DCCCAB67AFFC541B0FFE191C0C73CF153D68BEAE873D0025F01F2798ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8EA68BE47C4273CCFEC5A51217D0A1,SHA256=524CAAA3ED58CC0E71C3AC39AFCC31D6E1AD28FBC55060347FDD6C473B52B9AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.542{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.527{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000595702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:12.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49786-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000650193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.522{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49974-false10.0.1.12-8000- 10341000x8000000000000000650192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.048{D419E45B-DF07-60B8-864E-00000000C401}48966272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:17.521{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6878A55C291D3ABBBD3A227A40490128,SHA256=2A3D8D6B43B5C34B32A37F9FB715103AD36CF285261288C973FBE95C854B75D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.781{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.776{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA1CF8E58AC26D1C128B88E42B3D0711,SHA256=3696D3FE4BE8EDF11359934BD15285D5438DD1037E684057467E2973AAAC0265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.776{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED82BD5F7A444F70FE368760ABBE838,SHA256=2613C3FC1E9CD4AB48E5212E9F8F3FD0E8A45753EB98FAE60E08C1414B64CDCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.370{D419E45B-DF09-60B8-884E-00000000C401}38804704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.214{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.199{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.925{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.917{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92F730FAD2319E8275F6893B0200659,SHA256=74FDCC686ECE842FF864ECF14B0B1A1F5747DCDFAF90B542D4E7423592F622B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.917{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38B688EAD8E797D1D131D005F23180C4,SHA256=6273940131F76715D385BF77288ECBB712B15156FB902F6C546BBA556A28EAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:18.537{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A5F94473029048BEA2FE0B93939435,SHA256=EC431604E60A56283504EF9DED7218DBCA2DF307700210B11D10AA6B909FA51C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.308{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.293{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.011{D419E45B-DF09-60B8-894E-00000000C401}19364024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:19.933{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DE9681045682E451EC8EB399D92053,SHA256=B317162C1DC3FABB641CCA7D99C4779A93F39ACC50FA03222C6E06103EB7C4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:19.537{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AADAE6B6139659566607774ACEFF01,SHA256=DA6E61FB20C32A987F2AE96274CC9F867B0A628209449DB6A7D2254F28446A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:19.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F966BFA2783A14B6B7455D4894551C,SHA256=1250E905987AB1CCA33F9F3BDD169D75F64E57A8489D3F7DDF375E62B9EFAE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:20.964{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89B685B67855BD0518C2DEBB08DFF83,SHA256=DD720378910321CAC5A96D26DA875C20174098299DA8C432AEB85C97F83D0BA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:18.038{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49787-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:20.552{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96962C2BD26B119709F6C6C9DEB481A6,SHA256=EF602402FC5833E8E7F48CEE115242DF51FE00BE087C50960D6380B9FDC44801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:20.809{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4605D87204BC2CF4F514E80F1D63C95D,SHA256=E934EA6645CCE4B24CD723FAC2857DD6598F3BEDD7E776F7C4AA6F9EE17DB5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:20.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ECBCE475F86E8D57CC83CB044667F81,SHA256=BB24244ECE0DB8FA7F805C4F861E1CCEF5457083B6B37FA6F589A8F30BFDE3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:20.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=558E6D89B48A8EB8C723151844A038CB,SHA256=4B9FA5B30A1BB436A8B57CB488B91FAD19A8E5276A3A7EF4294CD722D75EBD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:21.552{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A5A24063D32FFCB3C98B00AE82A18B,SHA256=CB2FE92E2957285A35635DE9F8245D288A4B921E98374685FF4627CE2DD7862E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.532{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49975-false10.0.1.12-8000- 23542300x8000000000000000595713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:22.630{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ECBCE475F86E8D57CC83CB044667F81,SHA256=BB24244ECE0DB8FA7F805C4F861E1CCEF5457083B6B37FA6F589A8F30BFDE3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:22.568{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B77AD7DA10DB32B4735E0F19BB39E5,SHA256=FC75CFEFEB1F17444C758F0B723F5D8D3E04217009771361B5E03E6CE13FA4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:22.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3ADA78A767CFD837BCE22CABC510B71,SHA256=71A87F1F1DAE1FFBD0C89D534FEE95889F873588C6B3644A0911046735F4256A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:22.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44EDC117D6458226563490ED1C330B2,SHA256=0BB2E1691C9A5FD5E5E32437D246BD2D8A7C276339969F6884F6BCDB0E348C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:23.568{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148D5B5F2607DD0A30C53428C3C96C6F,SHA256=C31CFCA7A17F32AC5172F0B244734ECECD7011EDE317E00A1FFE1B43D605B592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:23.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B7F0DF023B19211CFB27AA0FDC2DF32,SHA256=B292D9E59B6D1CC8F6FD7834B567B8D18ECA3F2BF591347E1947468CB99FBCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:23.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30E1D3C7068C4B509757D74FD3CAB98,SHA256=984CB9FB9ACA5BFC995A7E818E058A2695427B618D060E78F56A92A04D2CB2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:24.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543EE6BEA8943754F34F64750F68EF4A,SHA256=B5D9CDF37709589CD4E15FC29006A62F2A63B258D1AA1FF5A8ECC9CA6D240BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:24.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C24B318F64DD3332612778E76C8869E2,SHA256=F65EE1715A8F16753036E9BFC2B4131B425EB1F2F1B664DC97E3D19941CD47E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:24.198{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E031A1E77F3887B053ABA06C1E2BAE,SHA256=2487841539BE38C18CBC85E6568B0C5B2E6CA484C4B0DB679DFF645BA80C2C01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:25.761{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3762655356-77726385-4168110057-500\$I1HQE7U.ps12021-06-03 13:54:25.761 354300x8000000000000000650255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:21.594{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49976-false10.0.1.12-8000- 23542300x8000000000000000650254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:25.542{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=042D5E09C60283D7085504CCB0D3ACCA,SHA256=96D2C5797DAA310AB74B1AD56A500C1FC8C9B0FE1AC823AD526B2311F1637D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:25.230{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B68F2D29EF1BB8D587414145AB8A11,SHA256=916545F08830994BDF222B5025AAC3179C7A0A58635E0D44EE819B803E330D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:25.599{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027B8061E3E3BE528FBA3C951B3914D1,SHA256=EC3654519B8ABB7FFD4D6F059D15578DAC7F8E1A552F2707914180FA5FA09132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A99F539C11EF1EDB91751415C166DCC3,SHA256=5763B8DD1411B462EF64632859A8009DA5D73F70B5E49DE453C5F65F8E4D36FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.542{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.542{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.464{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907B7336D7513B7527748490FBC95C28,SHA256=8CFD46E0397A3BC0E636837EC24242303E656631FECE4397474A5F7EA4ED2D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:26.615{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40568D4E679E64C27EEE46DCEAAD6E8A,SHA256=1EAC69F91890528E4E8EBC547F9C2B6E0E53D1C937D8FBC8846C43462D7D25B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:23.898{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49788-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:26.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388C2A4B14B3FBE9E63FB5D82A10D1FC,SHA256=46258AB221806C7B1F8D510BB62076D1B8ACDF799F6AEBA0E29A73FD3B7A00A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.808{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\AzureHound.ps12021-06-01 20:59:15.697 23542300x8000000000000000650266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.761{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF156640CD09FC419EB995CDD64E917E,SHA256=38AB7F93E80722B60C09AD44DA1EFC950FD19A1E102C9D230C87AD6E522F503B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.542{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CEF926EB1794ECE6CA8E7DF35ED4A5,SHA256=D4B0816BE4D55C03DE6450E6EE4C28F0D183BA7725937786BA5B68CE0A68403A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:27.630{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F466DF4426DC9CE8AFE7091F2D0D30BB,SHA256=F931A18251954E901C3E66286D4EE630E39B1A9E54EF996E2464CD97D44CB3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:28.787{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF965df90.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:28.646{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC73BF48D91A7E71400719372D449EF4,SHA256=76325B54DAA2094942E50FD5A7D20A87390C0CF5E13141F5816A58F10C356EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7407B396687929A61F6CF83660650D3,SHA256=CEC0B92B5279DEA7D2E37336BE6D4B1627D08F9898F9219AA24DA5071C2985D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.948{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.948{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cacheMD5=03EEF13C7CCD45883A576026C0F30911,SHA256=8984D11A351CBEEFCE5E0659518724B912A9FDECD8DA5E441732EF4ED3584BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.638{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCEAEE96AC4D772FC83DE290780E18A4,SHA256=0311A6B2E20AE6FE98561D2CED24434D232161FAF072AA8CDF44BF4A7A74CB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.573{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D68671045D002ED7B0C08825A4804D3,SHA256=E670A03965A6F07EA6F44743B9E1932FD43E26D5E6982C87D1F425BC4D9AB53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.573{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F194B8EAFF0632BDA8EC82209CAEB76,SHA256=906D3598BA7038EF014FFDD4276FB48ABEB9ECEF5C51D7EB174C0C0D2F726D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:29.662{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0764D84ECD5536A5D59D295BD6459F,SHA256=BACA1C191F18BF58591A6F630A4EE61CB1BD6780AD04720EBF6EEA518FF9BA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.464{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F31C0A9A1499EACFBDB084911F397E,SHA256=C6A6C9144B42A3EC265EC922314FDF4DB70CD08BF9D78D67F9DB3BE8796E3CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.448{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.448{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.433{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1A0984A1C073C3FB0203BAAFCA502638,SHA256=0542187118ECB9925F835BB32713E03DD5B5E5B9B66CB4F9E7EDDF2D0C6BD0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.355{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3F266C1DDFF6868CBE99A0D01BD5DA,SHA256=E6BF3E33D09459FF0E711C982035625A49C223429EF8B42BD2E3DA97CA5A29C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=687147D5B2E786AE3FF26450AADA4ED9,SHA256=E3C5BBD986785055ACA245BC3257BED5051B2CFA8D72FA6468F0A0AF59BB10EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.245{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=865356AA88E4798F44B2DBE227ACDD5D,SHA256=6C9F6E2E45D5E2DECFB8611783E96F79641CC198005C354F3E724303C6D7982E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.217{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E506B581B4B2AFC3C76B2ED1120FDC3A,SHA256=86DA978276279D2FE25E0C160B9C486DC37343F4CA8F2382D24FDFA10CA7382B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.167{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93D870B1D6AB9E83F71B7F34F14BBEBE,SHA256=F81C71EACFA039484B5EF5D026888A68250291A7A022FF6AC26C609CE948FE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.026{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94ABFB5096A8ECC984DFB9EA8D876D68,SHA256=7675C479433DFAC9BCF964435E6C85CCC772EADB48C779748E5FFA7FD06A7B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.026{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6EECA5D6C845F293AABE7993417BAB7,SHA256=9579DE4AB73A672B8ED26E38ECB75F0EEBEB1A44FFABE5A3878003D06055D9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:30.662{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E213D0CC833FC5676A726477F506757A,SHA256=9A46E3ACDADE9C516CD26C814A25989C6AD2D97EC623576014D2455161FEE26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.980{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.980{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.982{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local52656- 354300x8000000000000000650297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.766{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49977-false10.0.1.12-8000- 23542300x8000000000000000650296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.761{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.761{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cacheMD5=F8E4F2AC6D01D18F0E8CD5EB992BB3F3,SHA256=7FD24CE982E05847298F8E509B60C5EA1E041838F2346B231CD444E7B8DF71CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.573{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F8BCCEFB068293ED4605A90E235F09,SHA256=7E557EE8E1947ECCB954F485D8C2B0A8C839402A158F46A3DC5CF2110A811EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.480{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.464{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:30.448{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-aztenants.json2021-06-03 13:54:30.448 11241100x8000000000000000650290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:30.370{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroups.json2021-06-03 13:54:30.370 11241100x8000000000000000650289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:30.276{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azusers.json2021-06-03 13:54:30.276 23542300x8000000000000000650288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.198{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=800A9301283B526B9E470B8E015F2C83,SHA256=F19AEA49E255ECDA1ECD2F7651CD5AF676765B72B6450655F9D97B79B67E32AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85E6253448D41AD433F7BB30D105C44E,SHA256=5A1F45D4254858A685C987040D29A25142B5A93B65FC35C29EB9B9DE69EE8EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.073{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F5C8BBF4404E35511E4533C525A033,SHA256=DCBE9F5A2FF04CAAC9E3BB5B7DB0ACCEA9BCFB5270672A17657CABE06C943097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.011{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9091B93DDEC6133EF5814F95EF744D,SHA256=EF3E33D260816CECF036D1FFBABF3893E3F1A401E4987206260D9BDE26F7624D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:30.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0787DDC60CCB4A0C15FE13F75273E61C,SHA256=8542DC4E69C7D5000DB45DC0397196C03666140E4DFE36E6637FBAF56AB3524B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:30.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58267FC029525A660CBD7F7DD68DBBA3,SHA256=5754DDA688749EF9BA8124AF320592321CA641196F8F3DF72333123BCA56B724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:31.662{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C509CDDE94A57E448EDCF134D4C27FEC,SHA256=47E0A645DB4829B7AD63C4E0E7A3A5F0B340A635D2D90A73AB5A97D5492A62A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.745{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE7879719EB7736EED43A423284B15BF,SHA256=056E2AA136BE52DAF7390D55D2DF49197888D1969CCB8230CACF0E6504B7BD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.745{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.730{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.661{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49980-false40.126.26.131-443https 354300x8000000000000000650318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.640{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local57063- 354300x8000000000000000650317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.504{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49979-false20.190.132.43-443https 354300x8000000000000000650316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.481{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49676- 354300x8000000000000000650315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.039{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49978-false40.126.29.10-443https 23542300x8000000000000000650314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.651{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BC272B1B061A7C366F0B14E60632350,SHA256=E4CA48FC2A26A6C1A35D9CB48BC5B19E198CA73430E7CA56339FF11C64EB9CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.589{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01499548D930C7645DC129172E5C84B7,SHA256=F99431FFB8F1C85A81CA6D5A289F7B59874AADE3FC5AC2A6EC8A1CB2AD3F30C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.589{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17AEC58E12D38EB49118E5242A66F981,SHA256=52851E2148010F4529BC94014CD153197B1E3E9A29BDA2C755D851FC6B1607B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:29.085{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49789-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:31.052{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91C633471A26A316B6641B85CF0A0FE,SHA256=4BDFC1FA43EAF98BEB144A9D0129F6124EBFDAD67ED6B929822432C5EF9AF1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.526{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.526{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.526{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8CBF71F76437F417B0C119AB21C73B58,SHA256=19362518A6F9FA9D9E29DE6465F714812F7EAB199BC215C1A68606FD379E78B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:31.511{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azsubscriptions.json2021-06-03 13:54:31.511 22542200x8000000000000000650307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.338{D419E45B-A18D-60B6-EF0A-00000000C401}3200graph.windows.net0type: 5 na.privatelink.msidentity.com;type: 5 prdf.aadg.msidentity.com;type: 5 www.tm.f.prd.aadg.akadns.net;::ffff:40.126.26.131;::ffff:40.126.26.18;::ffff:40.126.26.130;::ffff:20.190.154.141;::ffff:20.190.154.140;::ffff:40.126.26.19;::ffff:40.126.26.17;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000650306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.448{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=323D3FDB74048A7AA25741858F169CB0,SHA256=23AA71F188D39356997BE8E47BE61AF368E3C4716AF61A7B67454145714F9960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.386{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B003B48E59B59E2B18AF4601C0FE6964,SHA256=972090CBA2FEA99D9CE773288A2CEE10A66FB36DB1EC3FBCDF7329CB1E9781EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53FC7E0BA34813BC3AA04071883A8FCB,SHA256=FADB84610B5026B9DBA23E6DD1660BCF0735125642429410EF45FDDBA9162006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.245{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04CD804FE7D62C489F34F93ABFFDB2F9,SHA256=427F48197C58363A1CA41A6E43DBF00821400FA149B27B7639CA27C812C2536A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8492DAC41D23D1E096EE1F040C3FFD3F,SHA256=263465650DE7079C8B1F7D750458D89EC4A9454BCC3C11C234B9BA9A6D93AD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E350E197BBF3E69BFE3DEC836DB0B02,SHA256=F3D3F8DF60DE8BCB5F445CED2C0F04B4C438525355F3F441B5829D5ED59AED2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:32.663{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74AD885A70B320D5B97E2A8FF9F7B58,SHA256=4DDD9CECAFA5F2BD893CB40AA84B225DBE59CEC10E219BA5BE2D1C81F68461D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.080{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49984-false13.86.219.80-443https 354300x8000000000000000650331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.718{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49983-false20.189.172.0-443https 354300x8000000000000000650330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.695{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local55467- 354300x8000000000000000650329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.535{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49982-false13.86.219.80-443https 354300x8000000000000000650328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.326{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49981-false13.86.219.80-443https 23542300x8000000000000000650327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.620{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8697979B37DCBE7EAB0514735FD6D3,SHA256=64D86E5FC401871A5BCFD6DDADA500F2B63E137D1D8598AAE2FA660A099CC7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.511{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB92F9CFBD0C84CE59C8C37F7F1C4D89,SHA256=20FA40DEC7002BB62E88608D9AB66264E2AB3A0303710CEC0FE38A4AF91AA8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.495{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.495{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.386{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D634C93E8C0570EB1F7024550EC6B01,SHA256=959F13712A960527BBB5F1878A1A59E929E397A9E3AECEAF87417A55A479D623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:33.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77565F35453306B8CA3ABB35BCAB3D6A,SHA256=95B647BD2DA7D16817CF2449BCBF33E884E657F0043F76AE6A313CE7488CF5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C0739DBB02C84F42C20DF6573134A16,SHA256=5FA4164094093F315B6E68D6DF657F414062CF78E15DFE40A8D287ADA9B91541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448511EF64AAC15C5D85A5A653F5D9B0,SHA256=142EBFF8A133EE6145D3121D748D14F8ACE7266DC0AE0D5FA048AA26AE9F08A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.261{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65505-false127.0.0.1-53domain 354300x8000000000000000650342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.250{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65507- 354300x8000000000000000650341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.250{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65505- 354300x8000000000000000650340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.250{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9860:c3a0:a8a:ffff-65505-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000650339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.220{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65507- 22542200x8000000000000000650338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.393{D419E45B-A18D-60B6-EF0A-00000000C401}3200dc.services.visualstudio.com0type: 5 dc.applicationinsights.microsoft.com;type: 5 dc.applicationinsights.azure.com;type: 5 global.in.ai.monitor.azure.com;type: 5 global.in.ai.privatelink.monitor.azure.com;type: 5 dc.trafficmanager.net;type: 5 wus03-breeziest-in.cloudapp.net;::ffff:20.189.172.0;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000650337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.339{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.339{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.124{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.124{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:33.105{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azresourcegroups.json2021-06-03 13:54:33.105 23542300x8000000000000000650350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.823{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD3B1C1D23C754CF9D343CDDE4369E1,SHA256=74383E0516395C9A6412E7D0A9EBEEC6819318AC1A1C1485A8073E5B9F8412BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:34.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB02BDD62E512986187CC51F8708F4FF,SHA256=8C530B45730E3E2B5395252476C787D7DB46E12FF7165459A0B1BA678F7DC103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08543D592EC9BBE67920677EA525AB24,SHA256=1BA2865E80BD5D050F1A9050D722B71A6C48ED464E69C234BDB9A081C32E9B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.245{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.230{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.167{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=33D02DA469E8B5C3A7B0BF0D8FA502D6,SHA256=1B8537978F76D4B14B09F6147F58D8DC1064580B739CDB2153591AD9DB19F26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.965{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AECA5D6A4FEA7595F224C8BA545CB91,SHA256=B82805D88C85B443FA1F2893202CCEC9E568E25D4822B380CAB69B500A0F443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D0C550ABA25E41FAA39588E134BD16,SHA256=B045925390414361E17FD974DFF3377B98A81D8911265D97354CE657523337AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:35.682{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9305909860C560C761E2E2DC6BD135,SHA256=186A142F3BFC621922415A276710D2AF0E680EDCAA2DF1F02BBE058802B25F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.245{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B7132670AB68EDE08020B9722DA8F17,SHA256=98D31B0CD9C92D7E4D8DA3E8D245D39377D90256630CC0E50A500F657ABD02E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.230{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.214{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.039{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49991-false20.189.172.0-443https 354300x8000000000000000650361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.888{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49990-false13.86.219.80-443https 354300x8000000000000000650360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.677{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49989-false13.86.219.80-443https 354300x8000000000000000650359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.266{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52178- 354300x8000000000000000650358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.235{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local52178- 354300x8000000000000000650357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.226{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49988-false20.189.172.0-443https 354300x8000000000000000650356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.052{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49987-false13.86.219.80-443https 354300x8000000000000000650355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.434{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49986-false20.189.172.0-443https 354300x8000000000000000650354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.291{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49985-false13.86.219.80-443https 23542300x8000000000000000650353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.027{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.011{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:35.011{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvms.json2021-06-03 13:54:35.011 23542300x8000000000000000650380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.982{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1D9F1DDDA55E4C56255612BA462E3DD5,SHA256=A001B4D835C533F8D37918EA73E964F5316BFCA5F718A7528C7321C4DF83C02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.966{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=832A6272AEEAABF71BE7ABCFC67A115D,SHA256=937B447662EC6D24ED90582E95445CEE7EA0D3BC388CE982D738D182392224FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.563{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49995-false10.0.1.12-8000- 354300x8000000000000000650377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49993-false20.189.172.0-443https 354300x8000000000000000650376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.790{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49992-false13.86.219.80-443https 11241100x8000000000000000650375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.857{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupowners.json2021-06-03 13:54:36.857 23542300x8000000000000000650374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.841{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176E1CF6960291F8C1AC2D64D480CA72,SHA256=027A7A20AEE4A5CC7517F2CABB059EC75109C17424FD130949E0271836F130C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:36.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E905107862658AC7359477409EED8,SHA256=DBE0E3B63135EE7756BB4511975E6CAEDC188F13FA2884CAC941DF4E6483D364,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.717{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azdevices.json2021-06-03 13:54:36.717 11241100x8000000000000000650372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.578{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkeyvaults.json2021-06-03 13:54:36.578 354300x8000000000000000650392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.687{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49999-false20.189.172.0-443https 354300x8000000000000000650391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.510{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49998-false13.86.219.80-443https 354300x8000000000000000650390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.926{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49997-false20.189.172.0-443https 354300x8000000000000000650389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.776{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49996-false13.86.219.80-443https 354300x8000000000000000650388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.574{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49994-false13.86.219.80-443https 23542300x8000000000000000650387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04C5EF62CE48A2DA02BE7D65E101BFA,SHA256=28AE0C3E1D6B19D23ECB31259F7C1FF0186AF50B7BD94107DDF06EA5D7F3BC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:37.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4AC596D4390767BD3E4F4A32FC371E,SHA256=7F79EE6350036B4A589FFB836D8CAC46DA17500643B99F0752A2EB3F720A0BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.216{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.216{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF20B0537899772131CC7554FF25276,SHA256=45322667986891906AE247C48E3462BB57CF26E07FBC594A246F0A756FBE8465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.013{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.998{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.998{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupmembers.json2021-06-03 13:54:36.998 23542300x8000000000000000595736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:37.057{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42C9C99027A719ADF85120B3E08E6412,SHA256=2BBA986E95B573B32C87DF0419BD18AB3DAC625BBDEB95D15B60E9171962B543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:37.057{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9665C66444318B3072B080DC9471C327,SHA256=F272A9AA46559C87EA5EA57D678E6F5C6DE3F94CDAD03C685325672AB24D904B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.995{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50002-false20.189.172.0-443https 354300x8000000000000000650402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.773{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50001-false13.86.219.80-443https 354300x8000000000000000650401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.561{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50000-false13.86.219.80-443https 23542300x8000000000000000650400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154B8471368F9A2ED46517D1C6840BAC,SHA256=D1E0353F531DA5A287397812119E04E8E21FB64E61EAD1764EC0B8ADE579E979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:34.871{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49790-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:38.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E55E872FC960997520383E05B82888D,SHA256=EC3A9E68FCBDA93A68B7E732B4727D7AFCA47FB60CD172F50ACB5E1861F79912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.861{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.846{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:38.846{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvmpermissions.json2021-06-03 13:54:38.846 23542300x8000000000000000650396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C358F70C5D68FD7F370D0203C015DDD4,SHA256=CAD2952A55BDF839F017006EB512F3FA6AC5C7CAE7404C9AEDE9A40EBC4DBE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AF186FBBE2E1A07E4525A382F92B845,SHA256=591F471FE56178654EBACA47559A905F9D1148E5CB1F83E5442BD4FFD652C3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:39.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B433DA8136F0F3ED4AE9750E69662DA,SHA256=102DE90D841E4CA5A1D5779082CFA042A8207A453D094C42C5D3398AF2553B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0C54E664BB7FFCFC6F540B1DF3902F,SHA256=8B0D286D06C173FA38095B86344D00779AF2E8C9D94CD69CCB150F7D9EC49566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.846{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AEF865118055ED817A4042E015418B1,SHA256=633D1E64E6888AD940902F861613042E0D772DAE4AC776A6E2F0FF18731477CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.408{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB49ABF10D5876119A6F7195A2BBB381,SHA256=53DDDFC092F9B922E031A6E5ED063FBE3E580736D825166E1D886E65FA960B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.408{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54EE2034BA7BE3A4BD6158EC85043DFA,SHA256=D473AA60AACA47DD59D71C22250A61694E999A7642431D994B00FE2F4E8A08E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.939{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A71CDD4EA91806B1E6680A6394AEB4,SHA256=31B3FF6051C25E935EAADF54C2D500CB25EFE53130077A8E2D7539FBF7607671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:40.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7485CC0DB046A695578E46E33BC8A070,SHA256=0EA19965F1C77DD9C308C8BC471772DD746DB59178E201C1F4AC64A648E0DECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.877{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.877{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:40.861{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azrgpermissions.json2021-06-03 13:54:40.861 23542300x8000000000000000650415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3740714A924E3F8B2C945598EFC2F324,SHA256=6F70E171A1AC3F4ACFD8DE08B805A63E1E40C33ADB7E6D766E3881AC19048B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.033{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.407{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50005-false13.86.219.80-443https 354300x8000000000000000650411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.718{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50004-false20.189.172.0-443https 354300x8000000000000000650410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.565{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50003-false13.86.219.80-443https 23542300x8000000000000000595742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:41.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0961A1DFEBD1D63F537C3FE2063DAA5E,SHA256=662526E8D9B6D43EB700F56EF084F72717E5D00F69EE6B2963A986C5DDD60D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.580{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.580{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.564{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.564{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.096{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.096{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B79B1711F88B0298AA41B6798D20982,SHA256=6D5597DD88D5526B1D28623C8AE339CFE45E369C1BDD2B6C66B894E28853B2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:42.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966E65F907F04BE24AC79C891286C418,SHA256=E0B0C895B7F3C3BE6469AB858DFE7B610318EE1BB20548D6E65C511D04F05E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.830{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.814{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C4ED5F7A525E7A7767B58C0640DC4E8,SHA256=78907C257B5B8663629B91BCB09A5F516E55D6966DC00D9983DA1FE0780AEBE9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.799{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationowners.json2021-06-03 13:54:42.799 23542300x8000000000000000650440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A71B6D7C93F9394892D7BDCA2C8C4B4C,SHA256=739C2A1A2F129F3F3C056D0F2234A5009906A22346D291801CE0B503B81B32A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.705{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azprivroleadminrights.json2021-06-03 13:54:42.705 11241100x8000000000000000650438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.689{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azglobaladminrights.json2021-06-03 13:54:42.689 11241100x8000000000000000650437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.674{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupsrights.json2021-06-03 13:54:42.674 11241100x8000000000000000650436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.658{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azpwresetrights.json2021-06-03 13:54:42.658 11241100x8000000000000000650435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.424{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkvpermissions.json2021-06-03 13:54:42.424 23542300x8000000000000000650434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=677551496CBC57DEC94DC4878AD32704,SHA256=81D507B097817346E35B94E906B6E53620CE824D8070ACFA5FCC19876433E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656A820CF4A9EF0F045550BA5C48B789,SHA256=6A7CA1222740BDF6C9FABF2FEBF3152DFFE9AB17840CE6C4F5E7569AA6D2F729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.437{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50011-false13.86.219.80-443https 354300x8000000000000000650431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.718{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50010-false20.189.172.0-443https 354300x8000000000000000650430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.601{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50009-false10.0.1.12-8000- 354300x8000000000000000650429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.575{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50008-false13.86.219.80-443https 354300x8000000000000000650428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.841{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50007-false20.189.172.0-443https 354300x8000000000000000650427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.691{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50006-false13.86.219.80-443https 23542300x8000000000000000595744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:42.119{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0572769C4AA1D85BC77BE131A675DA7B,SHA256=893E2533C0A61CA717ADCF688900DF964939CFB73E35965E75FDCBB6F9F9FCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:42.119{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42C9C99027A719ADF85120B3E08E6412,SHA256=2BBA986E95B573B32C87DF0419BD18AB3DAC625BBDEB95D15B60E9171962B543,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:39.949{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49791-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:43.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F375D8BB789C44DA50CDBAAA8BAF352,SHA256=8F952452FF3DB3F041597B2F57743881EEF8D648E924F2A1AE28B7BABDAD4DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7377B14F81FF5B588EB578D8DCDD01DF,SHA256=968BE112C9198B69B46BDCE33E107BFF88580DB1C52FF6554953EDC14EE06A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39BF55B1A3E0A713BBEEB29D6F29A773,SHA256=DF885C8AD43ED27BEF95D4363BE69109D6ED158211615E81389DFE531BEB156E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C7F839E3608C9BF9722DC53AF7F4ADA,SHA256=A4A41A2E994EB3492DB66C43DE2258A30E2E56E0C14C4BBD19E552D6B307105E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F01845E2A7CE0DABCB6A1911A1A62775,SHA256=3813135F237F88D501D67DF169EE4C11E75589B8279822E0A92B5FE1B2A1DB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.189{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.189{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.143{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E064839EDD23AD7D338B87D2CE3A35BF,SHA256=285159C43C3DCF3292FB12E5B2AA1BF66DBEAA639F765DCDEED0FB3410B461F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.297{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50015-false20.189.172.0-443https 354300x8000000000000000650449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50014-false13.86.219.80-443https 354300x8000000000000000650448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.810{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50013-false20.189.172.0-443https 354300x8000000000000000650447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.652{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50012-false13.86.219.80-443https 23542300x8000000000000000650446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cacheMD5=873E03DCAFDA6E1F8142CDB2F10C046E,SHA256=BEE48B303E091490D9E39634526109433A113E55B9B9292516A503623D4C3A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:44.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7476CCDB8F4E38B2FDB5E186FC64F0A,SHA256=DDB3958E09334CE5A853EBD2F166FB4DD20E8440D295FF522F167C7BF0D1FCFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.689{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azurecollection.zip2021-06-03 13:54:44.689 11241100x8000000000000000650461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.643{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azcloudappadmins.json2021-06-03 13:54:44.643 11241100x8000000000000000650460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.643{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationadmins.json2021-06-03 13:54:44.643 11241100x8000000000000000650459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationtosp.json2021-06-03 13:54:44.627 23542300x8000000000000000650458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:44.283{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9E39790A50B436C9BD47FF2826F90B,SHA256=F13E70E36884A99035751B67F3DC119041AC469D672A83F3F7CD20B46635E6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:45.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDDF46EF3AEBFC5E28806FED600817B,SHA256=CC9726E447A54815C9F90E399387E55D6CD27900025FACBF33A283FF671FB951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9710DDD04F9DA8A68B1DC58A47CDA8A2,SHA256=88E66770B26D455C52080A613E12006835BE2A70327C902545254801F3F358B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.299{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D34E691E060327C88F9216C7C8C30D,SHA256=01657BF1C5CBA094A806910DE4D527C8D95B7F8D1A8E036AF2434A4F6C9D778B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.283{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvms.jsonMD5=1BC81925A20C7F096502DCA2C9C47C9C,SHA256=6322AEC107856D523DC0EDA6564DD3643E3F8F4F11C5398BCF5BD2905A6E0C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.283{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvmpermissions.jsonMD5=7A47EC350D1D2133DAD1DF478C97CBD4,SHA256=4FBBBD5F5C6D609250940B7F785EBBE1CCD853887C752B6075B2651031067D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azusers.jsonMD5=E144CFAD0FE3AA7EACBF3CA8FDC88182,SHA256=7C5C4DB0398C3A18AED6DA46B358D137B847E783ED1F9F8B839C0B5654C1CED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-aztenants.jsonMD5=D1D52BE3FA4CE6E2D2382CBBE77486E9,SHA256=6E5AA4D5B464D55A65D95FF36675321A8316B2D6ADA9DBFDCDC504E5744A7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azsubscriptions.jsonMD5=5B499DC9AB3282214FEF6BCF0843A8C7,SHA256=8B33B8615ED1EA02DD47577B19D8EE2398FAFACF56E33066B778A0B86A151D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azrgpermissions.jsonMD5=6EA565ABCEBA55D19CF97E4C96E60B5D,SHA256=7052BDB6DE23B7452F9EB22362F8259C8484735656BA04183E4BD0B8E77BC248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azresourcegroups.jsonMD5=F6EC60B82A1DB86C4B8766CC6EB167D5,SHA256=6BDE29AA2214694A25CF1985C780E3274CC15E5BF2F9D3ABAB66D5D97E3F09D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azpwresetrights.jsonMD5=D4FA697B3330E334F135E70BD56B1727,SHA256=7BC07A457B9DDD01D44E882740CA583F370D31CE7490F40948552D3A47AB6827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azprivroleadminrights.jsonMD5=F78CA8D8BDF80D01E74ED7287665F1DA,SHA256=D693916C72B4F996FAB35A085C3378CDF188F376D40C4D894CBA74068DC23CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkvpermissions.jsonMD5=9C478B11F7528FB3BAA8F4993BAF70B7,SHA256=A92449DED51E6EB4FF14ED36D24EB8A00052F2B69487F851BD05134F5D5118E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkeyvaults.jsonMD5=4100B70CD1C1DCAE2715B81CE21345F2,SHA256=93D6F2CB90BDDA1EE8CF7372FBBC13D2BBD4E83F7B7B946C8D00216362234AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupsrights.jsonMD5=C3B4A2BB61E6CFC06AB06FC89F3C9805,SHA256=350766AC6EB1012915C4D553E4B051B9108281880704FEE57B9C565624E7D782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroups.jsonMD5=2084BBD7754D35067B150A0B3D8863D9,SHA256=EA31AE8F35B76AD4AAF4B6194992E174636CE5AA07F61F17B9EB44DC734EED35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupowners.jsonMD5=601630A1338D5A321681E8EB6D669E70,SHA256=6BFE453149EC66EBF11BCB4FFC035A3BF20478F3D42FF3CFBB25DF844176D5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupmembers.jsonMD5=CCE2966BE725FBFFC01F218D2B4698F2,SHA256=8D5590A1636B35F1032D6DD8B40CD40CD8DDFF820EE9EA4971CDC03ED188CA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azglobaladminrights.jsonMD5=B8309D3AA5D04E8B9F46A80A3D9082DD,SHA256=4D131E8A1123E337F8FAD05B116CAD47D010C264BA5534C207DA2C2ED83DA011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azdevices.jsonMD5=6E0B808FAA0CCC7E25CEFF3FE2544ED8,SHA256=E86924891B7B1B68EC5C24CAF380E86D474FBDCC381B0A5703A61BFC62065B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azcloudappadmins.jsonMD5=78B89398A676E37D525E6732E8A4D662,SHA256=B7260D16327367A0ACC67E423EE3DB2E43303A874966F58E04A62124DCDDE9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationtosp.jsonMD5=152DFF62532242B467136D9FA375580D,SHA256=AE43BB0860EF7B14646EB45E24A7371470DC087F19009A046A6F57CBD7C1AA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationowners.jsonMD5=6AA018EB96650197815AE716B0942412,SHA256=55664B3231D64DB9A54A0844C028828C9E5F8827126D10DC5D5B8C09A0CB04CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationadmins.jsonMD5=FBD267B18D994FFD0670FE0D66079195,SHA256=3276C01CC052BB3666FD4B67A63E9B6042FB15409885D40A766BA37888D49E35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.567{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50016-false40.126.26.131-443https 23542300x8000000000000000650463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.127{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EE4E9DF855F0186818068FBB8AD2292,SHA256=6236F5337F3E111DABB51C9FE7CF00C8CB1D33DFFB0724C30F7453753957415F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:46.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98EA207B5DC8F21B557437DC4AB6460,SHA256=A16F0CE321E71099DB5D1C381178274281F39AA3F61D3A12D1CE2DE71B177B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.314{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB0008B6F460BE910B8F51A8AE3B035,SHA256=33671BC55B65437C44EF487C36452F811965FD1CC53F465C9DE13D2B4B34709B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.624{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50029-false20.189.172.0-443https 354300x8000000000000000650492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.095{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50028-false20.189.172.0-443https 354300x8000000000000000650491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.737{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50017-false40.126.26.131-443https 23542300x8000000000000000650490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.221{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B5B29AB18654B4A434E2E4BA3CDB3A,SHA256=0B48C529F2C24A029CC9D916DABED01BD747A918BFAD5916F2FA88B42BD43E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.080{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72736C45CD606714CFE35B958DFF38B8,SHA256=A35A9E22CB151D9A52F48B272FC5D795FF45D99354AE5D6CDA63B16A0B731557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.018{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A22C89EEF339F3A756881C6B1CB3A8F6,SHA256=52058B770F6A6645CA143B7669A3F6303746BD4FB4347EE3F67D81562C44E811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:45.012{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49792-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:47.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5A74C4AADF0C7CE52F8EE241BBFD5B,SHA256=F9C28E4EB1F624788ED68D7D780A3977B182BAB4B5853160405D931B31FE683D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:47.502{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E472E9D8842181B0AEFEEFDB7EF1ECA,SHA256=13E9BEA11970B1932A4EFFAFE69C2088E7EE980EC1E557D40627C988EFE2A1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:47.502{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBAAEF308424449F653E7CE33365313,SHA256=002DD63BFEFE7EB5A4B3061FA4B213403DEE8E269138F1E2AC8E1CAFCDC4D4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:47.182{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F2A5A1C58EFCB43E427D8395A771807,SHA256=3B9276720A9A53EE4A8159A22210E4E2989A4968822255FF35B90B1287271765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:47.182{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0572769C4AA1D85BC77BE131A675DA7B,SHA256=893E2533C0A61CA717ADCF688900DF964939CFB73E35965E75FDCBB6F9F9FCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:48.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03556455C18C4503EE33AA98B3F6770,SHA256=7B6FFAC635E5EAE42F7D77C4D2C2132F7575D071CF0E3A39EE541A6759C717C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:48.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DAB42BCCCBB72B03FB8DA5BAC86D0F7,SHA256=E20CEFA25A7F7051D2476CCF11988448162C7C8B1DFA43CF52C9B0B8B8F5732C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:48.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BECA766A57E151CDFCAB66C0345F75E,SHA256=E101354F19C4B87B227328EC3BCF16C37B5F64CCC9DCF5116AF315F5E6B1C846,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.585{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50030-false10.0.1.12-8000- 23542300x8000000000000000595765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD816C1C2570696992E2D7B45EFCAB23,SHA256=13CDC39E812D2F1FDE1CEF77B1717CA7E572CB55245A20931EE387012269A470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.729{97C2ED32-DF29-60B8-5858-00000000C501}47325956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:49.783{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F90B3D85417C8027FE8F06BFF22C89A,SHA256=B4EC667BF9C24FD7F6BE91C57B0E24736C89541639853AD60AC58E69E20006A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:49.549{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F00908F2017AE9042E56B57A5B654D0,SHA256=8CA18CD424BBF79742F554BF672C60453F5992C3C372EFAB62B7614F73D29E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:50.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE3CFF35D6AEA26E8F476F7F851EEB8E,SHA256=26C353E198822BE5D2511F6D682794A53BB9F0AA246FFC8EFBD0E519B898272E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:50.580{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9B639A6E6B85E3675CF0909206DA3,SHA256=EE1E52E8CD265A6079BA1825F84C7004D3AA1020CC80067076E5E47BFBF730DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.917{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B3CBBBC32E955AA68DC93C3F64B97C,SHA256=D557FF7B44A138187B5D36D338766E02F4050156643310622EC42B717A4F7283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F2A5A1C58EFCB43E427D8395A771807,SHA256=3B9276720A9A53EE4A8159A22210E4E2989A4968822255FF35B90B1287271765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.369{97C2ED32-DF2A-60B8-5958-00000000C501}39246064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.245{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=994B9F31E978BDFF61E4263B63349974,SHA256=1922C91D2AB730A22991111643EED3C4CF807D0B78D7202549A1337E6758B7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDFBDC414024FD43CB88450714C3C86,SHA256=6B6F543F37358058CE906C455B9D8AC1962A2B54A1B5CFB842EAED9C133EDFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:51.596{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FFA3949BAB8989842874CC9A401627,SHA256=FC7736D8AF6C0F510D392DD78C8E3E6260B88728DEF124EE2968024598F8FE4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.589{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000595813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.933{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000595805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.027{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49793-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF1D1F3CB1ACD92EACCB6504D9CD49C,SHA256=B48708C446ED59CE0AAC6CE9BC1C40B5BAE205D827BE2D8AB5D63016D69288BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:52.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1619F33B324D2EC10F032D38B492FF2,SHA256=3668AFA31314D439D063544315671BC8616354A6E504BE8786EE96FB80925D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.385{97C2ED32-DF2C-60B8-5C58-00000000C501}1416732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.261{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:52.064{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD90C9818E48A8AA519C930A3173BE82,SHA256=DD0ABE200F2295C37994F159635DF774BDE2504944A675E5D7D6736486E087B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16962AE31AEF38C7A3193FBD42794F71,SHA256=8FBC4EC8C2949157F5AF95B285F55F266EAFFA09B1AD1581B0113B379733ADE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.744{97C2ED32-DF2D-60B8-5E58-00000000C501}49123328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:53.721{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AF22B31017480BDBCB4AC58085C10F,SHA256=EF773CB9E839F348FD4C4EDF741EEA25E9DA7BFF74946304B01E4457170D01ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.260{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A45D332A5C8C47FDE2EB208797FF51D6,SHA256=9868834B8953B121F9F5395310C3C5E00AEFE63C10818B88BBEA956659E44070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:48.710{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50031-false10.0.1.12-8000- 23542300x8000000000000000650507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:53.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B212D638BCD7E22151DC5E682D299E1B,SHA256=38415771B4AE1B870647F72CD7BDDC3B017A153F78D4A17506590641824C0AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:54.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC71544DAF7C769A9C5F50594FB4303,SHA256=C549BC18DDFEF9DED523CA28C92188075AA8C1C779D91967AAAB39EC64FE698C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:54.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B115720835E18193CB0E6211A5A8C73,SHA256=9C34D92070548095C80650BB4E1EBE9553918B154C37B12CE17314E344F06BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:54.736{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B4839F9C2D0D7396727969373DD345,SHA256=DB706653E8BB127E2E213FA8ED3A114D3BD6D25030C0BE5E8E61556F7F6123F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:54.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A39CB482F85836E943BDF9594CA9C10A,SHA256=B540C0EFBAF95B83C78A7301D961439297AA616D92BF986E65FFDEEABEAC18D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:55.986{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8740E2CA1659E4A552A1885E8B34CA06,SHA256=81BFA62FFDBFE1728007692515E00A3E092CA19E80456CA85BAA3597E99DCD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:55.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55AD9201B34E472599FA5DEAE8A3DA8,SHA256=8AB4AF45F55FB3D525EF95BCE5CB97B3BFB4657A2F0BADB0BECD2EC9E9C3008B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:55.565{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FE305A71E6956FCF94511D515EFDE8C,SHA256=9F3D166846D1F27E25E3A3F98FC0382720C43928B964B0A717674198CA5C4DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:56.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9CA7808E46C4F0F4664E9F5563B07F,SHA256=A29FE058EDC028B049DEE0591F813B2D13BF5174821322A34F1B327A5D49C522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:56.673{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB8348CC1D34B6DD368A71E69AE9862B,SHA256=53502AE1CE3273EE0A784558E11D7BD9C4D5C6E09F9E6B449BBE035E11508468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:57.746{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5FCFF1E181980B840F113854B26BB4,SHA256=65C0EF6F2921FE33145296CB7DFC322BA0CF39CA9EA66C06D95B42323D5E1E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:53.773{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50032-false10.0.1.12-8000- 23542300x8000000000000000650515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:57.017{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37930AF63158AE6774DC968BC9856D1D,SHA256=D12D3F58F68DA40D77CCBCA58A9DDECD65C4223EC423FFEA53F73B85073392E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:57.308{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:56.044{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49794-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:58.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3989AD683DA20B3B965E7515D9393E0,SHA256=5C9E526E80EA15B040780FD2119C537512FF1AA79240A6E14E9E094B92F6019D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:58.189{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672CC544F95CBE5D1E3ECA0C6695294A,SHA256=645758C3CA0F1428614A5690242ACE9991F656D4D4DF81D5C5071578201CD578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:58.308{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C447FD5686F640FAEC6D184C37374E87,SHA256=A5EFDAC37724C7DFFD3A2CA9522387CDE48C8D08DE5EC2FACF737FD889DBBD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:58.173{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3186324D0D7FBEEFF82975ED61CEB833,SHA256=1AB3E45F1492E30ADA98424EC92DDF53A5E5E1B6D495F20DD388180463F0B7D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:56.122{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49795-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:59.777{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19C083043B46D7D8B67AE4FB03CC017,SHA256=41A4E909CF5A5E04BDE1697DA99C54408F6A88B4DBF04C64DBA9B987BC007D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:59.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57C3EADCE458BC09F805CDC7B81A0E7,SHA256=80CD76C4F9860B8DA57D9DF985785511000E04952F132DCEBA8ADE5C8CEE2C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:59.204{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6A33E34D189E0F79B374FD92E901E8,SHA256=E99EB06F5A5F6BD8033EF5E010E87F9D33CF9DBC04258D40B38A52458189612A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:00.777{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13108F07A56898A2E9E099CEE0CE27A7,SHA256=ADAFC4AF2851CC82E4B60C6AAB87A9BCCA53A2A7E5302474C3BF27BCF5D5BCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:00.392{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A0A7F216EB7FDCF54F7BFB4E242B4AA,SHA256=7AF8CA42159DC9214E716A632B33D47AA359A82CA9B5F98D25744F159F696869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:00.267{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:00.236{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D122BF6EA0F64DA01433A4E24B3A21,SHA256=84A907AA637C45698BE6236123CD93E2557732B25E8B72A04808C85D101952B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:01.902{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F4864DAD8D954B4EFA2D0712286E6B48,SHA256=12565C5C68337EEDAF360902C450596F75DA25F17194B75D972F2D41C3186A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:01.777{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C541C69091DA91100D606173D998E504,SHA256=72DDA1087A0F88A4F17B3EC867F77FF836D646AA3BA040FB550ED98E8BD99B3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:57.787{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50033-false10.0.1.12-8089- 23542300x8000000000000000650525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.626{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEABA3A23842A3061DA7E835E4FC976B,SHA256=3EE0D8365944A730C9A5A6D2650D5C5D84EF38D8D474B501FD1DF51BA8FFD65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.251{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684DBF661B1B1DBD53439FE5BDA53AD5,SHA256=0C8EBAD0B5863E845EBD5B4E4598FE85A46004E44D88ACC9A3D3D5B10DDE95CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:02.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF39AC174BA6F49A7D086D8DACA5FF59,SHA256=FFE1C8654959600A43A9C0F80B7E51E5377CC79FF0DDD62173930DF922E92E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:02.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0787DDC60CCB4A0C15FE13F75273E61C,SHA256=8542DC4E69C7D5000DB45DC0397196C03666140E4DFE36E6637FBAF56AB3524B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:02.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9583D89080F50354C19E5FA14ABCC10F,SHA256=19B88706C08F11FE2CC00F9A07F942D7F2E988B04063CE1408A18F6F829BDB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:02.704{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C663B7860F0F7689AC1AF37B1DEFD734,SHA256=BDA4BF51B55E583273A99EDF97B257B82DC096BA463B3D5E789F2DA45B742364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:02.314{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D89675F78492DAB898BC90EF84C866,SHA256=B4C2B3B374FA959DB5563409CCED7D47538B68E0F64697402DF329CA9AD74874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:03.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681A42C5090469FEB300349C5EA42182,SHA256=5796F4D00EB26087BC22ED090D58DD10C1A0528D68D6CE13EAB207A94966BBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:03.970{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A262CBC9A5ADE97D62A1C697493BD34B,SHA256=810BD69843DFDDD30F07EC4002AE3B7A6265BFA6264A9E6E542B10424F87CF8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:59.757{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50034-false10.0.1.12-8000- 23542300x8000000000000000650529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:03.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E5B213EB088C2FB2F4BDEBA8A0BBE9,SHA256=FFC99E1CDFD0CD8BBA46CE8B8E2A54A90A80F61AEF01183172D33CD68340C077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:04.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957C63A205663779899160F127CA551E,SHA256=C1F3B90040A71D21398129758A6C2566979EBBBF981D6EF97ADF6AFFE67B63F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:04.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB920EC841E408A583239544E48F8A59,SHA256=4BF445A46EDF6C7987BF0E2212111A34638DBB6F4C17FED805205D7F286EEA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:04.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31568C0B3F5F9E9BDE60E9EF31D293F3,SHA256=6432D1D7B859F0B1CF07AB537758C902F433D547628C078C8F66B8FAFBDF9418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:04.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE5EA392862B1935FEA66A6979D460BA,SHA256=6372F62DAEC63E00BFB10EE108205994BB86D539EDF93EB513840518C041EDCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:01.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49796-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:05.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DB507E698A31A0001172A8DFFF5426,SHA256=D3179324C68570EDBAFB760D698A5548F62C04F72788EEC782D1349074BADEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.585{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50035-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.585{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50035-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000650534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:05.439{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CE323BC2F6B74737E765C0A80169F6,SHA256=7F0EFD4086AAF5C0DACB3DBB93EE55F42709B268FD2FAC7D86DCE008D55CD266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:05.079{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1E41E1C014F81393BC8C01FB072B358,SHA256=47FDBE32569E50AAA2DAA8408117CDE30FA991C4AA987B0B0B7ED1FC78C754B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:06.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A8E226A7B4D8E5249ABA8EE9EC66DD,SHA256=14293CA56E666C1332AE0BB272DFEE883211B3E93900B889DBBAD87A6AA5B852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:06.595{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25726C9D3FEF893779C7ECF9EDA2662B,SHA256=5A4CFCD91E11A20BB7086114A365ACF9891F6EF3BBD066C9A3C0E8C0BD6D182F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:06.454{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AADC6CE702DD04C058C9AB8E444349F,SHA256=6A2EEE040C6B28E0B9A4FCA7DE93D0C107238F42B9F37DBB5744067D60492A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:07.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9037AE958DE9E77BF08B7505760715EB,SHA256=B12454129ADAB2B93C620AFA64FFDD77FA068811B8143DF47EEDFDEA2293EE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:07.548{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD8BD03AD507BCF07B4A62FFB5373F0,SHA256=EA0A21C4814892D5A0A059409F495E6EBE76C74A6067A6C82274A23AE73FB7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:07.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E076B559FF5A777908117749322546E9,SHA256=260DD15A9ED31F0D7EE70642DA0F1EFA57F9C73176724F7EF6A1F9EB5C21B993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:08.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A21887B1F8CE626345300DD2DD2A006F,SHA256=C5A45EE10388FDCD1E946AC05E9D4E03FDBD169AE4550FC910EF124EC02C26CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:08.642{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F03B67D331D03D3FE8357F1353A422E,SHA256=F202B719618107DD6C5AE146D673BE54B161209458381F1D14B1377D69B340F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:08.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0A4B4703A8F2765BB63FB968EE68AC,SHA256=68920874DFFEF6B84D8F3E9336B6C90C11195C2BF1D0B47E79AAFCADBF63302C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:08.105{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:09.876{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747BF2920A952450231D368690B2BB50,SHA256=FAFC88DFB1B7D245E85A419CAF35BE98F7E66B459C5BFD434E899E356A17D339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:09.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0CA3F0E857B986BEDE6FB152EAB930,SHA256=A733D79E4FB8E22B8842C9C8D7649E79C3C28FA6CF3C768378E91C89C155618A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:10.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468A4AC30EDD41151CFF0F5FD6D08B28,SHA256=8D820ABD61D13DD7BB95B7696AA0E6FB69226AA26F9AF886102EE0F9EE515DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:10.048{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0D2825D8CC6FFB29BD8644696563D6,SHA256=0B780E7F1942DB92C60E7F9505FFFC0A287D17B6E4E45906B28C18B8E1BD08D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:10.277{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF37C7DF4AC5F105BD6BCFEF057F1D5E,SHA256=5516837639B67AE33FC92D167262E073F878BB66931D33A34AD73ABD4745B4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:10.277{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31568C0B3F5F9E9BDE60E9EF31D293F3,SHA256=6432D1D7B859F0B1CF07AB537758C902F433D547628C078C8F66B8FAFBDF9418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:11.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=514042CF012ACA2DA359273099D66AF5,SHA256=378E382241B3BF7F1DFC7CCD3753313A413FC4B4E76F27A5419169CA14E1B54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:11.111{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539F71354682CD611CFEE4BF83229DD3,SHA256=1AB03B3607746152186D75D02621A67CC9A740E173A78F4B5CF9C5F3B5E3EF6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:07.982{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49797-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000650545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:05.584{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50036-false10.0.1.12-8000- 23542300x8000000000000000650549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:12.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550C75956835687A12D226578655DDD0,SHA256=CBD991D6192FB73CB71BCBA90FC6ABED3E466A7BBD0E09779FDD59810DDC0BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:12.136{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37364E79336DDDABA506C496E7690EBB,SHA256=2F52CA14949F007BC31401943A698D2247EB41B717D14C5F36562C3CD79C5EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:12.282{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8701AF84DA7B7809346D0056390F7881,SHA256=4C272CBFE57121FFBBAA4F524C6194F4D0938DF5D5697E5F52EA541400FDF2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:13.423{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF7E04C9CA181218A8BFB6FDC23711B0,SHA256=A05DA739F6CEF09DA99ECF4CA47FA39EE0994C1CB9A06918426C87EA5EA1DEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:13.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F8A97899A8CF53EC2E1B5A577A25B4,SHA256=228C3F674FB619A10814D5F130E6D28FFA7CD82F9F1B0BF3B6D9E296EB9DBC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:13.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0125E48D31CEA2BEA01335FD127E90E1,SHA256=E20A7E7C59F8417EB9CC9960489DBBD86F525BEB282ABC9292AE9B28CD4B2085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:14.564{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88A36C8E66DFA9FEA4A60668C6B3F1CE,SHA256=DD36061D8DC957F886572CF1E5AF07A717D85C64A36D223101FACBA22FB51E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:14.407{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65D7E80A513D8E43779DA6052D57590,SHA256=CBC31A6A50E20FC692F7D50007296E22D8A1956E91F92B2B1C5A0E63F09BDAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:14.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51976E8E82B3612CE424D60380FA8A9,SHA256=8142D1416FB3ACA44BFA4E63E69CD8C556C5C30BD8E24B6C255ED5CCB2672BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:11.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50037-false10.0.1.12-8000- 10341000x8000000000000000650571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.831{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.704{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747FDCC4606A647E28F48EB5581A0319,SHA256=8D3DB25C3589EB7598107824C0F9B412DA6744811923713CB4362EAC70FB3779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.439{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEDCE6B723A3C30A3F11AF02B7BB4E6,SHA256=B525B759A886720B082E718D42BF941DFA81723150E3E9DBC72908E605BD557F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:15.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FD0B8F2C6232C8EC106671D1FD12A9,SHA256=65CBBF48419C9A2DFCAC5C254E629E9C68DDAE62D5C1CD1BFE9D40A4CD20C57A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.190{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.995{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.983{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC98375E618A724E75D28516261B382,SHA256=88E2995DACBE240D79D353C8DE089D87C41C055FE37DB8F9F61FC23039DA83E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.542{D419E45B-DF44-60B8-8E4E-00000000C401}8726236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.486{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC9695D25188A5F359F57C3CD861B26,SHA256=1E19BF551AF5702EAB0DA91B97E2B278333FB119C21B7F7E0C61068AE1BDB6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:16.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5504F7FFA13CAF3E727B4068663F74F,SHA256=5C6BA0B12C8CD519A462383D58E92ECDE9AF20BFAF4E9A6756B7EE3A358D8740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:16.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF37C7DF4AC5F105BD6BCFEF057F1D5E,SHA256=5516837639B67AE33FC92D167262E073F878BB66931D33A34AD73ABD4745B4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:16.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203CB78520BA2FB4483B063B2DB86B6B,SHA256=4D00AB35931285ECA965486E3E7A2A9F42923EEEA5D20D2F25DC246467580B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.346{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.064{D419E45B-DF43-60B8-8D4E-00000000C401}4088880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.777{D419E45B-DF45-60B8-904E-00000000C401}3444816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.606{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7C16830E8AF34D58288E6290384667,SHA256=A9B2E49344579CE2C1BAEF0B28925ECE120FBA8EB52CF3634063E2B0D92958F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:13.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49798-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:17.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B4E8415763A5AF5DACC235A5FADD6D,SHA256=B9CA43423253356ABDE9B59C7B1C51F0A89B53760574A3D708D0316E1A4DD837,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.183{D419E45B-DF44-60B8-8F4E-00000000C401}13686608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.731{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.589{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F011EA6E74F516841C3FBC75004FE4,SHA256=6C142371071492788A498C97DF71432BF4423CAFAD819F547A76ACB3FF2D5AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:18.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146D3C93B0EC2B3B0F7643965D03662D,SHA256=CA95FCD3D725085F1F7217BBCCAD0277974825542330290B238052A03956F671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.245{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.233{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5FCB7454629AFD5FBF51ECCB974054,SHA256=53AAB91B64E899CE532EB747A6E77B0497F329657419143D4122633EE94DD2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:19.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E019013FDF110A598AFC78FBDB6CA9,SHA256=CCC3FC569F9D8DBF971DEB229BF118D6901759E9B36AFCDF202C31C9FC2C8A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:19.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86ABC45299310CDFCE74148FA0EAFE04,SHA256=62AAD7A22A631E3BC36ADFE3B186488E6AA0C9548A982238FADB6EA7AF652CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:19.480{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70C86B168B3C13D3CA047695F9E7380A,SHA256=C04B0C5021964FAE2A2782A4B17F7539A57AAC8FA75118BC18ECFFA69D2294F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:20.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C13B434C7A662A548618C6049050703,SHA256=3A72AE9D434196BDEE5CC4F7B272BA5E3BE9640E35009E0501520618263D43CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:20.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721739CE28F724088122F3805053C1A1,SHA256=2719C612CEE9B185A847E7146001020D94ACE63779A25064D52D429C3A911EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:20.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71131D666D22FC09299BF1F5B028F02,SHA256=8F9D441E3E4868CC0F3570894694D187E7711B26736DAD1CF08C406096A2018B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:21.870{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1842E2DCF85CBBEE6417105820AF9D3F,SHA256=25EEA1CD9E7D56D4C8B15B503DABBDA061845263FD8BCFA2B0C4B0828CEAF920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:21.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66782327EC7B99C63D33B0E7F0BC5BF7,SHA256=A2F046266BB089CE822CF50E79A6F3DC73A19A3D43BD9588A39A4B11092B66AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:21.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610367279117D04356483643F16D135A,SHA256=8CF5D4CDC83D84782C6966423A59710CF565055558A525F4FBE66E91908B4E17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.782{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50038-false10.0.1.12-8000- 23542300x8000000000000000650629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:22.667{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504EBD8861A0E8E733622F33EB8D9833,SHA256=2594C809BE1769F2ED09E22D9EEB977D48F4F9A9A8C1A89DE38B251293CBCA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:22.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF86DFD8A2A069708E2B24DCE400B6E,SHA256=4358F3BCAC721DFA8C3368901F24710B899F868BE5F569EC77CA94927970D178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:22.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5504F7FFA13CAF3E727B4068663F74F,SHA256=5C6BA0B12C8CD519A462383D58E92ECDE9AF20BFAF4E9A6756B7EE3A358D8740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:22.224{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F389BF625B0B5235656F4A63EDEA9C,SHA256=4B0DB9D766686A3B4B4EBE9640B41FCFE9049F6202ADC51D56207ED9F84C703D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:19.882{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:23.224{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A1240BA5491CC46301BD5BA1DD6BF2,SHA256=D0B2D9C6532A53A51799033F273F6869BF7C951FD951538D89269619DCCABFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:23.683{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05F7A142E314B2F473DB7907961465D,SHA256=4467F13F3D51319FDE48500D681A5BEEAC71165D335C72E0A25D33429F7BD001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:22.995{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F269D15092A0C26D46A1E09C11453A8,SHA256=5F9D3EAABF409BFEECD17814CA70CA9E8571022B1299B0F1DE57D3CD558D339C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:24.699{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9A288D80213FBB540C8DC4FAC9C6A3,SHA256=D503EA42D5CC49501577186EA65F82209801462AB712A19C71759FE383F5BB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:24.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660FE30FE9AF2BFA9F47EA261AA56836,SHA256=1B8E079510A05C2A3DE5D375FBAA995EF041B5AA0495F1FD1E1BE6FD19237C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:24.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23870878F7B45E0B1497939941B5FC8,SHA256=A82D662B35942552056C49D1C50E5731C87C90042AA58BFB21A26F84A0DCB8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:25.714{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFDD310E002586F955AA9A77CEC2F55,SHA256=9FADFD51F71BE97F079B9E701088810B3489C279EF613EF9C07BCBD940F31D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:25.302{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0A7E0CBF5FDAC9AA0E878EF6C8E53B,SHA256=B5CA6106CEC5EA8D797683DCA3BF86DC079F41DBC91FE02C691772024ED2114E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:25.370{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=290FA90BE13E30C1326B72C168F9FEA0,SHA256=93940F17DBF5ECEC828371A5C09124CC74D962E8AE84D77911EDF268C35E6174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:26.886{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB7C0BF07DF32941CA69B2067C2E0239,SHA256=FF204F2B4127EA4A2DD93798CD77E3ED6ED44432768B465B64C50D44B7617371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:26.730{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEF16BC100303D5E64743BDA0244745,SHA256=E73BD6073A575849EC4CA3D1CF58489536C97517C7C5CD3D13D4369D4F213DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:26.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303542F3C633F9167FC5C0A66A84B9EA,SHA256=E57261ED4BE5DABEA5E02F21036626A6A2872E8EA933FBA8BE1C70F14B6C24B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:27.745{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36FDFB52741CF377663665D09C71EF8,SHA256=00E1EC68BA158E219963F14D6298EC3F9AD4FEE32A6B6FC3DB6B49A6A99AA4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:27.333{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3797B47BA57C17746222216FA5E1B0E,SHA256=9D4C886ECD4BD8229669A0E7E970C17AF572EE2C0644F45669FC92703A1595C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:22.547{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50039-false10.0.1.12-8000- 23542300x8000000000000000650641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:28.761{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4727EA27A82FE4D8902853E9BCBE5D6A,SHA256=9FB50EE85BF32318B5B358896AF2602B019FED1FEF4BC6C2984BEF98E15F1411,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.849{97C2ED32-772F-60B6-0B00-00000000C501}6283676C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.849{97C2ED32-772F-60B6-0B00-00000000C501}6283676C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.833{97C2ED32-7730-60B6-1600-00000000C501}12042080C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.833{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.818{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.818{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000595927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000595926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.787{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.787{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000595924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.787{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000595923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12042540C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12042540C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6058-00000000C501}6044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6058-00000000C501}6044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-DF50-60B8-6058-00000000C501}60445376C:\Windows\system32\conhost.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-DF50-60B8-6058-00000000C501}6044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-9D3E-60B6-7A08-00000000C501}33643512C:\Windows\system32\ServerManager.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000595911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.751{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000595910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.708{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=ADA38238E842BD3C756A3FD127EE3703,SHA256=3D48016B6F04755236E9CF8EDC297D2BE909B162A1B45E82250900F49C815358,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:25.913{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.365{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DC3279F7E29B555480C00C0ACD5F89,SHA256=CE978F055E27CD5199D81A783EEC44B37B663F490B81369FB386F4CA0E24A222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:28.011{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8F06C124C9A1A2B2AC11ACE23137B45,SHA256=515F42759B791DDDD23628C7AD1092E62246A0A96EE45B286B6B72292A4744E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0468EE0F7493A93697754916BFB30FB9,SHA256=3501F23A150FFD3486E58E39CBFC15022BC33D0182A6E4BC2D8AAE2CAF0674C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF86DFD8A2A069708E2B24DCE400B6E,SHA256=4358F3BCAC721DFA8C3368901F24710B899F868BE5F569EC77CA94927970D178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.958{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.958{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.958{97C2ED32-772F-60B6-0B00-00000000C501}6283676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.755{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0468EE0F7493A93697754916BFB30FB9,SHA256=3501F23A150FFD3486E58E39CBFC15022BC33D0182A6E4BC2D8AAE2CAF0674C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.740{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A400E79D6BE458F62B19523198A2CC99,SHA256=9A922718C00C70B438BFA201BD04E1995558F12AE27563DE2D78B2E8FC6F9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.740{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF39AC174BA6F49A7D086D8DACA5FF59,SHA256=FFE1C8654959600A43A9C0F80B7E51E5377CC79FF0DDD62173930DF922E92E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.427{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23EC6772FFB6FA8FC43CDAFAA010FA9,SHA256=825DFB972B66A42E3F03749F9E1A4E4C1771A38B7E8957795669E279E9796C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:29.777{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C6BCD75C4FCABCE28D085C0184208A,SHA256=360FA6EDC1F6B2D6D7CAD588F044242D74D84724EC504152A58B676E9A1B2EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:29.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4863FFCAD959BF0CAC74D5D9E2C78BFB,SHA256=AECB772A38041E2D79596EAA765BEF54210F35B81BF09AB30A2AA8712A31E456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:30.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D684EDCD2F1BD910B4438EAE984F3D99,SHA256=0680F03DD2B8F9CB8324D0B478DA8DA2CFBDD015F343AE294199C9B4A41E0668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:27.637{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49801-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000595954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:27.635{97C2ED32-DF50-60B8-5F58-00000000C501}5224<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49801-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000595953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:30.443{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3972040A0700731290858E7167DC86EE,SHA256=266505A45266088FD51971AC70F2AEF6D4DEE64D08D77B645BB00CE3C0A6FAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:30.402{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C96FF062A40398634F0D394E2A6E87,SHA256=2CD8CBD088249443620D5F69D45E753EA933AD0857E51F38C2A52663ACA9B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:31.808{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5680856F1BE99195489ABC64E7DB17,SHA256=A02B207E33F1A9D392CFBAE7E0DB06CE6CBC7C1977590DB0DD155532C8D96CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:31.474{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7210AD4A44994B6CE08B7C263E1154,SHA256=B3927E862A8DB3E1610D60E7034C18BECB08026966D729FADA38350B8C79AC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:31.542{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06402FBC27BA8F93E4AC2F13987FA91,SHA256=6E44AC107882AA787BD22885219260D5686B36A031401699A1F201FF3FB48F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:31.542{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2303F94F9FD0F8D1B946B033897DF326,SHA256=2182EE36EEA04CF71C4FB6AFF7C32E5BAFC7ED710E50DC54BC6EA455FFCE8318,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:27.687{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50040-false10.0.1.12-8000- 23542300x8000000000000000650650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:32.824{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B6300BC5F70F1DDE46D6379582D440,SHA256=8EA063963CCCC275548D3568A515640FAE3383A3AC72DF4B99CF0125B85E1BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:32.474{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9EFE2F35BE33AC58D9487BBE412EE2,SHA256=2E0214C0261289D8A0A2ED881DE9D7FEB304FDA97E8FFF9C310D13F0F7AD1017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:33.839{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5607F9217E7D1CCA28E2F02716F23548,SHA256=DCB5FDCB7468803043AE6C9DF20CA1A7A937599F2B7AF67DADA540C044B0657A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:33.490{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63DFA4FF683D74607BB8269ED1F4447,SHA256=426542B965325359E0F5BFAE34507CE1BA6E397D2072CD16616D365D5D43F24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:33.042{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12142F562075FBED59201565C51B4148,SHA256=31E448A572F274B157FDE7691ED25807B78CC44B1A7F7F63373B43FF73733CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:33.130{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4105574B11FA61CCD85C2F2DB950E38A,SHA256=774973AEF177E177D9C12A5371572A62678CC0F4DF8E2EAC8C3820DC940A9E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCAD16BCECCB550FA88F08E5F7B577D,SHA256=18B3719A594A0E51BE2C70A8CC90E92279D52BD5F8ADF0E39052D2DB3E10569A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:30.929{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49802-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:34.506{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5BE1FD91AE235DEBC10B03C0A9F7AA,SHA256=9F2F52BA861CBA38FAB9FDD5BA6707A1108C292161AE3FA5D1D59191DE74B5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC59EEE911DBFD3A1DF0C87765614420,SHA256=747446696F530C88B85727A42DF535D9E76DFC0B5D8D9A369BB50E2A7CF9948B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:35.870{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C38B4DA13E913FA40502AEA190CD488,SHA256=984989FE14D7312D17E824DBC503E000C4BAA5333CA5430CCCB07C5A86CB3CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:35.535{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7F2D58FB723988184E3DD1261051D5,SHA256=8F2769680A627E4DEE4B36F72749E5089CA6387917E423AE4F6DB3E4CE5EF3E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:35.324{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C77204C5691CBBBBDB61C2B1FAB1AFB3,SHA256=75BCE2695E5C19B2267B8206D3FEB1681566F28938C6CD9B0E375B7E01A76003,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000650661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:55:36.893{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000650660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:55:36.877{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000650659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:55:36.877{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 23542300x8000000000000000650658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:36.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7677181B9200701B483072EE422C356A,SHA256=07E85B199BEBC2929E4FD7B7A10AA48618DB85C7C641ED5000412E5A6D424AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:36.542{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B33D2951AE023761EC9F41CABA4288A,SHA256=351852237CD2C58B1D648A49B36FBBFE57F5E1A334342A30813079FC495162A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:36.705{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8273DF2360F950621F701538F814EAE8,SHA256=7478066B53F361270B48349739DB09C8AC5C7F628443B95D8A0B3DCA5F9BB776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:37.890{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9B513C2840E313E5B967E75D66E29D,SHA256=D117E6771D03E6D3F11BC30911F4CD0A3F6A1732A82B6BE073D1256F929DB0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:37.558{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C259E940BCCEB4572C4EDC5CAE57E4,SHA256=D95E4AEA45CC7F467804C617B5687A8884C2F7701037D4B5825F181D9C2F6412,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:33.705{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50041-false10.0.1.12-8000- 23542300x8000000000000000650671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:38.894{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE88A1F49B98E2E85E6A2ADBE2C47FC2,SHA256=20D3EF29A3A4A040F48A9C7885B692275C274E5198C6903CB102746274C08EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:38.558{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E0FC2858143E31F29C1053B611BA9B,SHA256=64C54CF5403DFF08D1CC147E1A3B3D7B0B478C5AD3E99A18CA2E2DE8D2424B52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.422{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50044-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.422{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50044-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000650668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:38.187{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6312FC69FA65742B00EBC0B16D6C886F,SHA256=4B32A1770BA124BFD81247D035B87B4C9F7E074D9350132B61F4F080DABAAD9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.415{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50043-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.415{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50043-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.399{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50042-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000650664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.399{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50042-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000595966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:38.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABF28528BE7CC217665FA55DD208D0AB,SHA256=37FEF50A1D8E47035A71085B9831C1819B32882B6A8CDD273A6AC5A59BA0D0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:38.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1992AC0CB9C79FF1911DA8267C6F1220,SHA256=8EE505A3DE9D75F3451A3596B16E72DE68F41E262545B326AD6C91E04C4CFCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:39.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51CD1BB235F5964D9D4967B223DA9F6,SHA256=B1CE19B78E0EA6E38FE7E9154EB35FFEC0267E24B0F4C2BCFB3F8DAA011137F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:39.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21419E0D1BC494420F909DD88AD2F64,SHA256=0FFA6465E7DB78A02B98AC40BA3BF6422FBF9785293E60F84FCFBE03237FDEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:39.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11AB077224B2EDB3DFCCF30F6F782CE6,SHA256=22E8AB8DB747A6B551DFD62AADE8A87ABB2F51FB4C91B798CCBE2FCB187D1571,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:35.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49803-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000650675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:40.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465D648C59BB378A0FCE98C2E612C72D,SHA256=49E3519A2955F151AAD8ECAE334A962EC542E1247365A83F5FF116E8C9764BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:40.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6968EC1333B796E4223F87CE0F3E22,SHA256=78DA4C0FA370662B56BF5166527DBA2F90E22B4A357FE0B12BD15D1E7E95D337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:40.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C4C615CEFE0A84B331C669F0AAB28AE,SHA256=C69B5B198017F7623C365D8D80B0CA2E42B2431E2F430EFC7B3EAA801772A5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:41.636{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050C562766666244B19EC59F98FF1595,SHA256=62F606ED90DDBE5B587B04571BCA9CF2C8AF3FEECA01AEDF922858A6E95675E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:42.652{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E986A51F724A97DA853AB9147DC7BD5B,SHA256=3D1BBF240E88909D2521CD52C29BB67802245B73F0ED640EBCA99B48869E1918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:42.081{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1DEF4CEC64C15E23F5548133F01BBC,SHA256=931A8296DFC909938F4157FC27D61896CC3BD8AAACDC0656B0B7DBB8CF7D3B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:42.081{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB02296F83CA91F7C7748C3E2844D79,SHA256=8BF78A098AE4E6EFD4E2AAD15045D9F2F83B2F063EC1F7FDE3FB3413909AE3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:43.652{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0964EDCD3B9D6B811CDE93D791F1028,SHA256=9BAC55C750E29DCE7D7189E63D8B0AC84738CDBC1320FE91902C867952A182EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:39.695{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50045-false10.0.1.12-8000- 23542300x8000000000000000650679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:43.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD0A00EB847A8AFCB6D3C84611076BF9,SHA256=70D7E7181AFB010EC66F81390A15DA9EB95C9AEEC738E4D928AE6D962F489EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:43.097{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDF8B54F6153B86600C7E042B72FEE8,SHA256=29F920726B331C3B9925053571C437A1A6F357CDE657D56FD7405FD666677036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:44.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CC3DBBB4AB816F7BDD50C05815372E,SHA256=480EBF57B4146F1F8E5DFA1E9047BC35583E6BB402FD59AD98DB91B7E1C3EEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:44.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FBA56768188D052C924D8E70D7E2BCB,SHA256=7267EAD716D223413BC0688E0857A9016102D3B1BB705EB57A6B1D27AAA24AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:44.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4CB700F01381E7A16A8669AF41C7AF,SHA256=9F11408F2F6F3C01686A1E62E0E7734626E3242432629F3582F36890F5C78D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:44.323{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F764CEB2198E45745145B6D6F6D29A06,SHA256=F27310D67791D6FE1CB0920EB09F20B92498E5B24164BBA77336BFB2BA1B6837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:44.323{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABF28528BE7CC217665FA55DD208D0AB,SHA256=37FEF50A1D8E47035A71085B9831C1819B32882B6A8CDD273A6AC5A59BA0D0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:45.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D73ED874AB84E46C39476B9F98CF75,SHA256=28281F3160AC079A8D9EFB75946FDB6CB079A84C7BCFC43E4273ECF58E67ADEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:45.363{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32AAACA4097A02043F5E3F814D3B774C,SHA256=4437A20C9D4D9CAD04361D1FEED6BABB0030CB86BA08F2729EE2E98808B56A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:45.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DA88760942607B0111771C3BA611EF,SHA256=BD34E9ED90F87C5ECA3B809537594E0593E9A5FFFA1D75045B9C3E36BCA9AA7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:41.935{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49804-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:46.683{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB25745064D2567E44FB16C13AA41A6,SHA256=3A535C9CCCF794F88DDC913663384A60A0D6C8FE7442CC8377E7C87D0582F6BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.878{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.831{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-DF62-60B8-934E-00000000C401}5805036C:\Windows\system32\cmd.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.811{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\AzureHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1 10341000x8000000000000000650694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000650687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.783{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000650686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19157B9C5587D4949F366D34EF0C9A26,SHA256=D1827E2D9E033CE0604B528D322E4B19B498BFE56CE1E947BDF91E970074FCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3ADFBAC1D5FCFF4961D242CCEBA629,SHA256=F5E1AAE66F603148DD209AAB7C9DCFD8C4351B0666EE370D932433DF5B33D7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.800{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3AF3E07C21634D4F4E674B6A277A41D,SHA256=A5D9489F274BE44FED2BCEE96458013C30E9BC5B71AD53E221A8F324EF57FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6280EBBD2EA229382F81C9EE06CA1C,SHA256=181159864EFE68ADA69B23DDF0AF1DF55AA2B642C18ECD183095DA9523D23A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB62270384AD3FD2D2D32B9A810C64B,SHA256=2855C2B91533DA1C8383F2978A75D398775F9423D2A704C3A73AAB5EB2EAB0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.331{D419E45B-DF62-60B8-944E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=576FC27C1FCEEDE6C23BE5CFFC4E1F89,SHA256=E12C4AE2488E5AD9DFF0DCAC17FA91682E376FB5D0EBFC889BA716B18D84D935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:47.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B1F650C387343A09D614EA1AD2D63A,SHA256=402F6906ACB8CA9FBC00F0CE599335E275229F94BA63D9955B4F49A3ADD39E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.285{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.285{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.253{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.253{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000650707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:55:47.222{D419E45B-DF62-60B8-944E-00000000C401}4812\PSHost.132672021468116005.4812.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000650706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.206{D419E45B-DF62-60B8-944E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1dzlpnwa.21z.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.206{D419E45B-DF62-60B8-944E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_p45h5qei.wwx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.175{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_p45h5qei.wwx.ps12021-06-03 13:55:47.175 23542300x8000000000000000595981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:48.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A32D39DF83A14F8CF7E9B31759BDF4,SHA256=B0985DB44D2ECB113A8ED418802848CA5A83FEB6F40B5FFEC79246DC284E8C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.972{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3AEAF022FDB3697E22155D664F2AA1D,SHA256=8C2F206D1AB4727066BB514F4EF7B1935BA9F9F16ACCC5CB1755C9252B717FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.957{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=674ACC1E77E6D3CE928ED37C0647F4F9,SHA256=B4828CCCB5F12B14F1A2F8D750A3F2EB047BDDFC9C3E8C90019CF4B11C576BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.941{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.925{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E1B8A9FA5656D77F3BE5416525DE45,SHA256=DB2712A217D35B68D0D69CBF98061A2EA7935EE551AAF8C0CD484A209DBE9E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.730{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50998829D6EFC370B55EF9C802AFA73,SHA256=06E778FAA12230C354C0B20AF8EBF42B4CB0E4654240148B408694A3230C9657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B2B22651C6310BBB99AD52FC37DEC2C,SHA256=19882DF1DC073A79CAE59621D04ACE4FC8FF10AAEABBBB87D261B4D973D9D81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.645{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.628{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3246824595B5A37DA82232C730E6BF,SHA256=FC170182BA635F561B0106C77EE85D5066D7AD1F2ABBBF71D026C318EDEA1951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D621E78E4F2A4E4649081B67F658A76D,SHA256=BE37A3F5A14C4E0B1A3233B8132D329BB32C3597D0795FEFB096F4CF7BFCB48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.504{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0593BCEA4006BAFB783DC7278559AB,SHA256=F898C7FD5A8A3283F4DB8633F84CD6883E7AD5A19C7BCBC2ABD0C5C03137A2FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.542{97C2ED32-DF65-60B8-6258-00000000C501}28204812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.418{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.261{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F764CEB2198E45745145B6D6F6D29A06,SHA256=F27310D67791D6FE1CB0920EB09F20B92498E5B24164BBA77336BFB2BA1B6837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.457{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179ECF576A47A749ED0337D156D5CF6E,SHA256=D5A56C3F2EA306AEA7E02063AEC18BDF5F9EE3F8E7EA3ACA2A129A0DE325FD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4EAEB9D0775372D691D5561A567902F,SHA256=FD2180212F1EB82D29408E6F11CF3D02B8B765AA3F1554F30B3A1052A37B8AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.300{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:49.285{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-aztenants.json2021-06-03 13:55:49.285 11241100x8000000000000000650726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:49.207{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroups.json2021-06-03 13:55:49.207 23542300x8000000000000000650725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=195A4410BA5E3CDE7D68587A7E7222E6,SHA256=641E8814383A927B569A6D0BA6C92707118E723A3CDE10751ECC31D666DCA08A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:49.097{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azusers.json2021-06-03 13:55:49.097 23542300x8000000000000000650723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.097{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E4A666AB43C980D68EBD0A934B6F14,SHA256=C18870116D96D3DABC73DB07558425DD3918FBBEF3FD9E61FA66326D435E7D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.035{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86084CD48E951F812E9E3DEE6E5F223B,SHA256=22B565B5FAEF36481F3F4A2D4E5A28438E60BF1654486B2FE56CB4E9918AA4DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.886{97C2ED32-DF66-60B8-6458-00000000C501}53962064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.762{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000596003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2C1308A4431C98451AD34AD5F781B1,SHA256=E9A996552F4BD69B754220CFF6260E20E1919BD386D5AFC33AD3958FB015080E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.878{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.878{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.675{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5A23A1761CEEC89B28C7AF3A95CB062,SHA256=7403480FC4866DB073A49C754F3755C3C6DC2C30D677C33844918EFF2EB1119D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.660{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.644{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:50.644{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azsubscriptions.json2021-06-03 13:55:50.644 23542300x8000000000000000650741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2723321032E0EF1A89CB5AB11007E3D1,SHA256=A4EA37CDC4306CE13350887F8696F025D45D9B6B94846A63D58CD5F49042BC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.433{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B54827C6F584320784CE09155819ED2,SHA256=9AB5694FF51B52F4FCBD0E5FA0F528BD24819E4526A39EB3DE2978AEBE2E32DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.230{97C2ED32-DF66-60B8-6358-00000000C501}57001468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.090{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B473B574891362794E930C5602D5230,SHA256=23401FFDC6EB518069B421FC97B41642793D7E8C2CC87B36333D821299AFE67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9BA1AF77F1067DE927BE1180EF8F8B65,SHA256=9EECB237BD5F9142FDA9BBFCB8F4CC9606814E9709F21E8DC4812FE171597351,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:45.618{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50046-false10.0.1.12-8000- 23542300x8000000000000000596024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C983877BE9D8C8C03C7B31B0A4E4397,SHA256=3F1A5924B5567FEFF28FD14359DEA6A5FE3C8A0EDF2071DED80F8AA226246B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1E0833AD837D21C004B179F31FC52C,SHA256=3C0324A778CB6541E9B71C72AB9536A9032988CBC73A04543514CE11FD5D0EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.816{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.816{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCBA87880B7D1F60D58BA35F00F96794,SHA256=D083462998F642F4A789D300E5792286B79C53CAE297280516A3B09AD0C96A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=23E2FC858ACA39D6B2704D60CC6CBAB3,SHA256=CB1BDEC0F745E2C6C4832B53DE0FBE2663B111FD8007228D07A2B495860E8B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175ACC7B6F6FA4177540754DF1C360F0,SHA256=15E27D0D2F03C8D063216027D08AEAEA676C64E86666A8AD93C1180F32C0C4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.434{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000596014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:47.076{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49805-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000596013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.120{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0C00-00000000C501}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AB0E254BD60460AD2D5DFB32129AEBB,SHA256=9E616BD8A5CC9FF02FD3C8CADDF6BF6BA0994037523AC0D85B088D20A604E4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.859{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50047-false13.86.219.80-443https 10341000x8000000000000000596041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.762{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000596033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FE2F6EFAAD1923C0995E1ACD02EBF9,SHA256=662BA152369B4624A17EB4C03DF2DBF00225CB21CB9AE9A51ACADD17F14E56E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CDC47DEC4C91A98034E7ED6611D6AEB0,SHA256=A6EEFBEE3D9FBEC80D2F5B50BCB8003EF19F20450A8463527327A8308A4EC73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.738{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34B9D7B51EC092B0A4631E5E99AE9212,SHA256=B4BEB85DED709A559F99E482659297E0E16F13084A354443D7424963A550BD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.566{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94C5443C7F2BB64938A3CADC3706B52,SHA256=80C71DF79E845EB22B447FD1FA19FC576BF1D67CA0BDF50BA959AE7EF922C561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.091{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.488{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.472{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=367E7A75523CD24DC9E288C92B1C012F,SHA256=250D1D5440C42239F0840A2C63C9B31C968271ADA7B331650B28CFE34215AE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.269{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.269{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:52.269{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azresourcegroups.json2021-06-03 13:55:52.269 354300x8000000000000000650757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.204{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50050-false13.86.219.80-443https 354300x8000000000000000650756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.342{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50049-false20.189.172.0-443https 354300x8000000000000000650755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.191{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50048-false13.86.219.80-443https 23542300x8000000000000000596052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF73EB57F3D276AD9F8D858EA5778E6F,SHA256=DD781F8EB455606B65DF61BCE2545272D43DEA9F09CCF1A7F47ABF03183E8409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.785{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.785{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C109E63B754120A9B1D60DA97464866,SHA256=F74B8EDC71ED3D4B86090C154A0D7B1C329FC72B055FE0A00E75B253EFB5F701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.582{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED0B97DB33DE0CA1DC1B3A841B93B12,SHA256=2AC3078D1E8BF0D13D4BC086C2671538130AC17D7C45B9CF1283346BBA722018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.582{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.573{97C2ED32-DF69-60B8-6858-00000000C501}51603468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.434{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000596042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C441A1A022FDE945087A60C5624B8E,SHA256=435ED585171989470174A4C4B31CDBD47B1A685B9463389BA04B095DDEDD3F95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:53.566{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvms.json2021-06-03 13:55:53.566 23542300x8000000000000000650772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30C2BB01C53AF96BD55AAF807F41FAED,SHA256=3CE686C2FBEE81EB7BB81FC549EEDBBB2C59EB3DA346EF353B5E9B75D8FE5C71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.370{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50053-false13.86.219.80-443https 354300x8000000000000000650770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.584{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50052-false20.189.172.0-443https 354300x8000000000000000650769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.434{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50051-false13.86.219.80-443https 23542300x8000000000000000650768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.019{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.003{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:54.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF7160842EADD047D0B61407AAC0CB4,SHA256=A0664DE194F0F673A66781270A7831F92BFD4F7AC7DEC9A16F44D9A7B231B3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5D355518621993CFE1C6296CF53371,SHA256=49842AE7C0ADFBE6D03BDCF1DB9D34148B0AE970BADD8696092A2F79157A6AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:54.433{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B93F0AACB768EF4CECAC4E8A7DA95F,SHA256=5EC31688FF0118630F6CE87A0BCBE91519590B19F3C3428E05F512A93EF1569F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.441{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.293{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50057-false20.189.172.0-443https 354300x8000000000000000650784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50056-false13.86.219.80-443https 354300x8000000000000000650783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.826{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50055-false13.86.219.80-443https 354300x8000000000000000650782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.533{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50054-false20.189.172.0-443https 23542300x8000000000000000650781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA20C80A3A500F54C6D6C4D0BA458FF,SHA256=30FB13B474962B4ABD79C6D3DAEB6FB810F3EC59F49210597C45ADCC70857A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01EFF2EF3968D32D44B9BB2220004633,SHA256=625BDBA89184A8889BB80839E1E4736DD90194C7DC07F2C2338F0F184786EE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:55.823{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11D7CB21E1E1D62334B92FD978AA193,SHA256=A694054269DB0F93A8BA58F2CDC81987AF5E9D59DED5CD8BAB49050FA43FC9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.847{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.847{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.832{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupmembers.json2021-06-03 13:55:55.832 11241100x8000000000000000650799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.723{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupowners.json2021-06-03 13:55:55.723 23542300x8000000000000000650798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.628{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D248BAA2B6704C254226C7975ADC592,SHA256=CA9D246559C021AA4D39959C16A74F4EF95A95C9972EDB58C2D009762834E200,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.597{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azdevices.json2021-06-03 13:55:55.597 11241100x8000000000000000650796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.488{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkeyvaults.json2021-06-03 13:55:55.488 23542300x8000000000000000650795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C9BDBA1100992C32C538314E4A0B2C8,SHA256=35E567E2813CD72BF4AF5870387DDC2BB71AE2E9E711DABD6F9130C6074AC44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.394{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E39BA2F7EE236174AE5207EF0520911,SHA256=64818B5373DF510108DC05522B21123290B2D8F0BADECC86D3CAB59C4E9A9E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50060-false13.86.219.80-443https 354300x8000000000000000650792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.716{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50059-false20.189.172.0-443https 354300x8000000000000000650791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.564{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50058-false13.86.219.80-443https 23542300x8000000000000000596057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:56.828{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE5C2F167397FDC63667C80A97D240D,SHA256=3470DA25836ECA5D7FACE24F2D64AAE8FCF6DDAB0F95A8FE527C4F07FD00A678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47F88B97BA8CF70F400CCDD8FCB05B7D,SHA256=250FC8FF686EAE3E701DE874E503249D7CE9994247437BCE20F4176E4188DE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.881{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04931F0F3B79F4DF0FA9A78707794AE5,SHA256=8CF5DF67EFF5B937D723169C642DF44377FB275873282695CC00D24F0A9F8843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C60798CE5C4EE5EC4DF5B841445BF7A,SHA256=A7B6BD020411E4293BA627E97BAB9FED9B4551C6352D7180C5376FA554BBB7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A3339C029A3ACE8DD51DC69256CC33,SHA256=237992AE29B7DF6789F94FA9691A6951BE0EA06497FAF0046275F96996BEF7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819CE797A42C793BB5548843CE222298,SHA256=3BB6D339931977D49F7D93BD2D63FFD67D88CD4B28A37D832689708C29D90295,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.060{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49806-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000650810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.584{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.584{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.012{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50064-false13.86.219.80-443https 354300x8000000000000000650807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.617{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50063-false10.0.1.12-8000- 354300x8000000000000000650806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.484{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50062-false20.189.172.0-443https 354300x8000000000000000650805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.337{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50061-false13.86.219.80-443https 23542300x8000000000000000650804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.051{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.035{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.913{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.913{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB4C2C758C448EE30947B5D8AD3F46C,SHA256=2ED929322699D57EDEF9783F90F6EC41FFB67E170A623F57EE9CCBA871191233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:57.828{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98308349401C208935EBCD45FE27D15,SHA256=B5EE58E6AC67D97152A0F6BB075F453715EA52085018FE42B0BEC76CDC5307DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:57.328{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.694{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.694{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:57.678{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvmpermissions.json2021-06-03 13:55:57.678 23542300x8000000000000000650817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.600{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB84A3A726471C1AE33FDB573C393900,SHA256=E62946248022532B55232FE3D4AF56A18AB19965789919E794884043B6E45E3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.183{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50065-false20.189.172.0-443https 23542300x8000000000000000596061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:58.828{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA3E2A102686AE287EA1009166FF721,SHA256=5FB0648BD14D0A176D4EE5FB75CF919610AF8BAA814E9591E15765F76CF4F637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.537{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.522{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50069-false13.86.219.80-443https 354300x8000000000000000650826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.744{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50068-false20.189.172.0-443https 354300x8000000000000000650825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.593{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50067-false13.86.219.80-443https 354300x8000000000000000650824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50066-false13.86.219.80-443https 23542300x8000000000000000596060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:58.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4530778BCBD2D990DC123D08E2E4019,SHA256=13606329C4D30BBB9D371529C13AC19497041A92DB5BE098D0F0AA95220C7344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:59.844{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84B036A1D0FACA0D47223BFF12BCE41,SHA256=70A3E86B6767781DC95DC4F7E4D5B5FBBCF518DE5A12D3B57BA53FE098786C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.537{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.522{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.319{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.319{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:59.304{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azrgpermissions.json2021-06-03 13:55:59.304 354300x8000000000000000650835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.462{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50072-false13.86.219.80-443https 354300x8000000000000000650834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.241{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50071-false13.86.219.80-443https 354300x8000000000000000650833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.278{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50070-false20.189.172.0-443https 23542300x8000000000000000650832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B125A7AB276C7DAD57E367ACB2222EA,SHA256=45BC7B1093D1AC2182B492F77161F8DB66A6C235F9D7D1B8D98100259E8A3D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=16F7A316ED6A3394DBBC51E60E698F54,SHA256=B72D6882F8E6EAB653B967F5CB9B808E93A495097A30DC254A3956C77988CBD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F35E204FDDA25319A7530DEDF9ABA6,SHA256=1EDFA45563A526EE47E32152E59A95B11FC084295F8028914A5341BB7975E199,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:56.143{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49807-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000596064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:00.860{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8356CF3FA77E82B11137D4F07B73A340,SHA256=36A05759B7ACCA01FFB2D2D0070F66A53883BDDD3BC401B2DCF936F9FD688B96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:00.928{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkvpermissions.json2021-06-03 13:56:00.928 23542300x8000000000000000650852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.741{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4AF56872689C597335F265AA9643CBA,SHA256=A1D59E311994985DBB5FFB33EE5C48EE0D0EE807E3174538E40BC0E823AC888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.444{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B792ECD6057CBBEFECE8D237C4647E5,SHA256=E27AC33710424436F85E7E1CE19092781C58379847B6F13EC080672A224DE07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.287{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76E62D23E372935142B3A0639FA9538D,SHA256=81E072DE73715D82BEC30425568CEC97584D17B07259FB9A6ABEC7F6674DFA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BBF70B982DAAEB8F51DC0208523147,SHA256=64375AAE4054AB37B18459E867D5703C683143C09330839FC27DAD377B62B6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.210{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50075-false20.189.172.0-443https 354300x8000000000000000650842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.080{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50074-false13.86.219.80-443https 354300x8000000000000000650841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.624{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50073-false20.189.172.0-443https 23542300x8000000000000000596068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:01.907{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=256AAC235F44F59E7A774E29E7BDE3CC,SHA256=08188A8D51DA27706A80B832B59C918AF4F9239A141B5CEC9C013CC698CE6778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:01.875{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CE5B86286015D34DE3523EE1E76D61,SHA256=22858F1BDD085D3EE6B1076517B0E63EA1DC630136BD66ABD0FD30367EF6C03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=056AB5618C80356B2D0D841886810831,SHA256=1E9FCF1C5D9B6DE4578A1548D3D90EDB92B1A34D6CBE777AF6A5856F985C4829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E87324AAED244626C144E359EBA4DAF,SHA256=7903CC550B6EE48F83E9916D3E48297EE801CC09A0A6B12961C7F803040E9451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.444{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.237{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50078-false20.189.172.0-443https 354300x8000000000000000650863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.081{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50077-false13.86.219.80-443https 354300x8000000000000000650862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.875{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50076-false13.86.219.80-443https 23542300x8000000000000000650861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.225{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABBB5732C68B929856EDEA7F15C9A8C,SHA256=3F6238C7550E275FE20B8BF1ABB3ECF7E2FD3EB146FE98B53C6A94F83A21674B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.225{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:58.957{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49808-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000596065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:01.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCDFAB9ECC84E2A7D3667B393C5EB101,SHA256=A0B01B8A612A3F47FFB6AC19E341539A9C2F09C80F311488D9EA59378CE874F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.209{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationowners.json2021-06-03 13:56:01.209 11241100x8000000000000000650857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azprivroleadminrights.json2021-06-03 13:56:01.131 11241100x8000000000000000650856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azglobaladminrights.json2021-06-03 13:56:01.131 11241100x8000000000000000650855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupsrights.json2021-06-03 13:56:01.131 11241100x8000000000000000650854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azpwresetrights.json2021-06-03 13:56:01.131 23542300x8000000000000000596069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:02.922{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A04355BDB9F25E5A1DA6C3220BF44EB,SHA256=57B09A4902FDA6DA6918A4927C7F84E95C444BEB137B3C5ABA548095611D1C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:02.928{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F08FA3111094EDAE6DC609C0A5BC58,SHA256=53B3BC8B385F7DB13A794D00EFF42C059A3B743F6C8052526FF013776B145636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:02.678{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2EF860CC96194340B99999860BB40400,SHA256=03EA1FF5A473CA8434F775A9F5AFE40F0B9BD582EDF2ECC213D55646707B96EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.192{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50082-false20.189.172.0-443https 354300x8000000000000000650872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.012{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50081-false13.86.219.80-443https 354300x8000000000000000650871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.792{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50080-false10.0.1.12-8089- 354300x8000000000000000650870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.620{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50079-false10.0.1.12-8000- 23542300x8000000000000000650869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:02.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC747E22AFEE4ADF0C44CCF9CE0EA50,SHA256=1189E029575E0EAA42F74725DF9E07DB7216D4F463C0339839CEB0665414140B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:03.922{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECF0E90FE2E544EEBF77E10785D24D5,SHA256=AD9E1FA46433E9EC05651784B687D788FB070789040E6B789E26C3D9FA205BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvms.jsonMD5=1BC81925A20C7F096502DCA2C9C47C9C,SHA256=6322AEC107856D523DC0EDA6564DD3643E3F8F4F11C5398BCF5BD2905A6E0C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvmpermissions.jsonMD5=7A47EC350D1D2133DAD1DF478C97CBD4,SHA256=4FBBBD5F5C6D609250940B7F785EBBE1CCD853887C752B6075B2651031067D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azusers.jsonMD5=E144CFAD0FE3AA7EACBF3CA8FDC88182,SHA256=7C5C4DB0398C3A18AED6DA46B358D137B847E783ED1F9F8B839C0B5654C1CED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-aztenants.jsonMD5=D1D52BE3FA4CE6E2D2382CBBE77486E9,SHA256=6E5AA4D5B464D55A65D95FF36675321A8316B2D6ADA9DBFDCDC504E5744A7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azsubscriptions.jsonMD5=5B499DC9AB3282214FEF6BCF0843A8C7,SHA256=8B33B8615ED1EA02DD47577B19D8EE2398FAFACF56E33066B778A0B86A151D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azrgpermissions.jsonMD5=6EA565ABCEBA55D19CF97E4C96E60B5D,SHA256=7052BDB6DE23B7452F9EB22362F8259C8484735656BA04183E4BD0B8E77BC248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azresourcegroups.jsonMD5=F6EC60B82A1DB86C4B8766CC6EB167D5,SHA256=6BDE29AA2214694A25CF1985C780E3274CC15E5BF2F9D3ABAB66D5D97E3F09D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azpwresetrights.jsonMD5=D4FA697B3330E334F135E70BD56B1727,SHA256=7BC07A457B9DDD01D44E882740CA583F370D31CE7490F40948552D3A47AB6827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azprivroleadminrights.jsonMD5=F78CA8D8BDF80D01E74ED7287665F1DA,SHA256=D693916C72B4F996FAB35A085C3378CDF188F376D40C4D894CBA74068DC23CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkvpermissions.jsonMD5=9C478B11F7528FB3BAA8F4993BAF70B7,SHA256=A92449DED51E6EB4FF14ED36D24EB8A00052F2B69487F851BD05134F5D5118E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkeyvaults.jsonMD5=4100B70CD1C1DCAE2715B81CE21345F2,SHA256=93D6F2CB90BDDA1EE8CF7372FBBC13D2BBD4E83F7B7B946C8D00216362234AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupsrights.jsonMD5=C3B4A2BB61E6CFC06AB06FC89F3C9805,SHA256=350766AC6EB1012915C4D553E4B051B9108281880704FEE57B9C565624E7D782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroups.jsonMD5=2084BBD7754D35067B150A0B3D8863D9,SHA256=EA31AE8F35B76AD4AAF4B6194992E174636CE5AA07F61F17B9EB44DC734EED35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupowners.jsonMD5=601630A1338D5A321681E8EB6D669E70,SHA256=6BFE453149EC66EBF11BCB4FFC035A3BF20478F3D42FF3CFBB25DF844176D5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupmembers.jsonMD5=CCE2966BE725FBFFC01F218D2B4698F2,SHA256=8D5590A1636B35F1032D6DD8B40CD40CD8DDFF820EE9EA4971CDC03ED188CA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azglobaladminrights.jsonMD5=B8309D3AA5D04E8B9F46A80A3D9082DD,SHA256=4D131E8A1123E337F8FAD05B116CAD47D010C264BA5534C207DA2C2ED83DA011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azdevices.jsonMD5=6E0B808FAA0CCC7E25CEFF3FE2544ED8,SHA256=E86924891B7B1B68EC5C24CAF380E86D474FBDCC381B0A5703A61BFC62065B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azcloudappadmins.jsonMD5=78B89398A676E37D525E6732E8A4D662,SHA256=B7260D16327367A0ACC67E423EE3DB2E43303A874966F58E04A62124DCDDE9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationtosp.jsonMD5=152DFF62532242B467136D9FA375580D,SHA256=AE43BB0860EF7B14646EB45E24A7371470DC087F19009A046A6F57CBD7C1AA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.850{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationowners.jsonMD5=6AA018EB96650197815AE716B0942412,SHA256=55664B3231D64DB9A54A0844C028828C9E5F8827126D10DC5D5B8C09A0CB04CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.850{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationadmins.jsonMD5=FBD267B18D994FFD0670FE0D66079195,SHA256=3276C01CC052BB3666FD4B67A63E9B6042FB15409885D40A766BA37888D49E35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.359{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50085-false20.189.172.0-443https 354300x8000000000000000650882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.993{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50084-false40.126.26.131-443https 354300x8000000000000000650881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.766{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50083-false40.126.26.131-443https 11241100x8000000000000000650880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.272{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azurecollection.zip2021-06-03 13:56:03.272 23542300x8000000000000000650879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E6D0109CB12F71978094B4EDBD31FD,SHA256=926135D7672B2734D666BFB45A752C59804A70946DA5981154F2F8F6727763DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.194{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azcloudappadmins.json2021-06-03 13:56:03.194 11241100x8000000000000000650877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.178{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationadmins.json2021-06-03 13:56:03.178 11241100x8000000000000000650876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.163{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationtosp.json2021-06-03 13:56:03.163 23542300x8000000000000000596071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:04.938{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AE11913AA7936CD0E369C368779F2E,SHA256=0F22A803CD1BE90AEA8C45D1985DA452BC99CF5971386E2E2D992FE82FEF41D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.616{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4DE7E910A5D77BB1898E38F817D08E,SHA256=926D2FACB9719EEAC5BC6118C10889FA3B75B548BEFC281FED14B8795229979C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EB90913EF72B958B9569F56F9A4E144,SHA256=9ECEE4E42674E2836DD53C0D6D0B192B4CF3DC9D280DAB6A1622306E232BD815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.491{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B91EB9FA8FBE2C589F245E92B6D9622,SHA256=821EDA587A89EB0AC6BDCBFC7C3D1C2C8466787442AE2423663228740639DF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B988A1B7DB5623AA82DCDFB6AA31C08,SHA256=10D0D196E6CE1F13996C217219A94FF8E704CD4E75A8C76F9584FDEA2DD92E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BC069878A8EAA53E8F929E0D168B8AC,SHA256=19C81E1C654B50A4BA830D7376D42F2DBA18397EC34B6C038B4CA4284389D054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5BC0400E97D72FF3C80C520523CFEA,SHA256=423882AEBE59580065299BB7CA89ADB7DC777923AF557D2568DA6CA957641196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:05.938{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC86641B670968011CF0C0826A4E81B,SHA256=B51F3B029582FAF110D15D1A468AF4E9420DFC04B21187AB6D1844445F4B12E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:05.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FE516A758E0AFA3BC0079FD178EF92,SHA256=0C5F0A82A6E4319CF135030D9E6D1D4C35BEF72FB5A0C53808E0BE20713B29F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.605{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50087-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.605{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50087-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.312{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50086-false20.189.172.0-443https 23542300x8000000000000000650911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:05.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BC27D8F390AC29FD44134AEFC595008,SHA256=B8E4AE2EE9C92F53E488B6AF252CE1489DD8B7988D430089EC8568AE9F9850E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:06.600{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B0D97DFAF0FDAC9A072CA283EF1C1CC,SHA256=C9A5DF5412CF7A95EAC1DF0AB1258F495D90BAC3ED145C4F0540EC386D61D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:06.600{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1349A19FE54CD26AA1E6E97595D8D0F1,SHA256=F570189893697D1A78ED6A6A5631709D2E873FD4DF67BD2B0E6EF5A3343C2211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:06.953{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0844E45A484D591F4F1E00B014F157E,SHA256=19267175A6A750FED8DCDA60FFC007E60CF1141264480AF4D80E6B73C6D810D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:03.987{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49809-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000596074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:06.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439B2F7872A158F65BD18A10FBFA08D6,SHA256=36FBE70BBB922950A5C893B7ED1CBFA49FAE0FD1B4B71F0FF925A84D26E80C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:06.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C85AED24BBE729478B3C0A8EB36B2604,SHA256=5FA20B634471B57A78E22BEDDC1D30D98C45304E279AA6C9938AEFBF085A31B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:07.969{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DC08109E1CE34FAC84733BFC232AC1,SHA256=18372FC7006EF1B7F16970424DB84D7CF3B6DDCF69B7B6688C3C52F7B343B8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:07.834{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A3AC1DBF03DB4C0783CBC3964FAC52,SHA256=6901BA7CB01A1F0CA95C8CA71B7FE874408F7BF30A1C597A210FA0CB4F988F01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.589{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50088-false10.0.1.12-8000- 23542300x8000000000000000596078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:08.969{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD355356AEB494532CC71E748A03FEF,SHA256=0157E0BEC2DC9C889D9B2D72FB77EEB9ABE5DCCF1990DFF9EAFFD59170934452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:08.850{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDDE40F6E2823CA3ABE5C008A7F06E7,SHA256=BB85696A6D8A50097D2396907C92DD554C9AF5EFFEDC7E13BBB47FF5880CD517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:08.272{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C5C8AF71324BB38801C1E68A5517210,SHA256=141B9E3515194B2C2F0685864C1DD8AFBF474EADA33AD8AB265591AB977DE6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:09.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AF48A2C69819BD809ED014B7A2F63D,SHA256=B228A4B4267F2540A4055059C44B7E422CACC8C1A51D14CD322BEF8FABDF0739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:09.303{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F40AC16034B25A4F0161308ECD2D232,SHA256=758266EFC7CE29CF0C9C1AF833399E3115A732C1DD4E0EB4236F998F4DCE3103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:10.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4A680BA078A08BCE60AB573D5CFF5,SHA256=C8E8309383FDC3B5363C72E60D0AD07729E6C2E05B97EBBEDEE96F9AAA76CCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:10.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D89BC14894A558CAFBA2EAAB91E23F2,SHA256=4303FFC0ED49064940A9C4A63317473465BEA26B79BDDF4931B2B4A687BE6071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:10.084{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CD3AC4AE294581E9C7ACF8269A0214,SHA256=FB009236F715443DCD82512078A32529D5331CE1742DCD47EC95372FC36FE01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:11.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2131036C5E4899D381FD912416BAA8,SHA256=527BC82EA0DBCB323ED959378345D799345C0B9D3BA605BE8CB3EF47D06D5D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:11.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5F127F8FA521DB1A31509E7930587A,SHA256=714AD503C2ADC74C618420ED2301E69B4FEC9A8B3876084E037A311D5D81A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:11.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2606A38875EB88E3E991025FBF5DDE45,SHA256=0DE47F7B1BB188E4E41688239A7C0950AF7EA1480E2A4E47EB0A9493A96D533E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:12.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AA239C8791BF27FCE73A7BA201CD3A,SHA256=CECB6836A94E141F6277EF359CD40776530ECD2774C4D6ED7CDDEA7806719713,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:08.682{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50089-false10.0.1.12-8000- 23542300x8000000000000000650927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:12.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89847F1D5B73FEA21905A71B9EDD0EAF,SHA256=869BADD5F51232E70474686786130E10DDB811F1C04F8CFCC917E52CD7D3C001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:09.971{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49810-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000596083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:12.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C778B4F20C337BDF25D10DACEE3C7D80,SHA256=C61CF25FD00B318263CD2E1FA2948BADA4D6C8DECE9C09A52104C60165472734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:12.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439B2F7872A158F65BD18A10FBFA08D6,SHA256=36FBE70BBB922950A5C893B7ED1CBFA49FAE0FD1B4B71F0FF925A84D26E80C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:13.209{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DABA3B04DEA8EFE745C1829E86037136,SHA256=426FE8558047CEF4CDC3C49B82D2C5FA9CA574CC03CB1441B854D215FC0D3A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:13.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3435E0DDCA56E1305E891C9FE3D009D0,SHA256=D34B796B73FDF9F9E25355B56418B5BE8F78A6A55C338F52A5158AD7E2A2CBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:14.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AE6EE84059660246D904D575704692A,SHA256=6B4A865B488E389F03454D0FBB55D6BC6FF6F50D58A79A2E3A25EAE8A217C495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:14.178{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74748BD898B9587081938F3AFE7BC358,SHA256=60AE6C7162F8A7F473DAF57D42406F4CB504B3F82BA55D8C45A179A4E8C8534D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:14.016{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA4A2BC85A7D732CAA56C2ABDAF25E1,SHA256=4A0A3AC0EE1D6E5811F6FA51A272817A5A39556526955CFF3EA61B7992F02ED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:31.662{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65026-false10.0.1.12-8000- 23542300x8000000000000000683284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:35.948{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5210131BD4296B70E8B216A941EE19,SHA256=9A4028A9CD1BE27707BA2035A8BF86C139077A98C057382AFBF357B112FDE3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:35.651{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE227F8D51CB47BBC3D717670BBA4773,SHA256=1357E4CB34A438CB200A6771B6E4AE8282C786400887B760B514BBE920A97C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:35.756{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C901C62528D98487C8BC3D9938C10FFA,SHA256=2543AEEB85970E7757445DDE793859D31B6E4E45979DA84592F7A5FE77413234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:36.772{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822303B694061C1337EE82B812DB25F2,SHA256=681F9C086BCECD45EF531EB53FFA2007F2A22D6CBA2F3B74BD301077EC89E9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:36.760{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5659085DE84EA32539EB96DB17525677,SHA256=B15D89D56A5E298E3C4F105078ED20D34B86935340C1264C799AA8556D04432B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:33.962{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51575-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:36.115{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7606A73C978EF8582F087A46573F0776,SHA256=7A112B3BAA81F7DCEE70FC5D0A5D9956D10109D903162D39E7AF07F8FBEDBAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:36.115{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B05CBAE59F8248922BE275F0A882C97,SHA256=AC2B0374298DBA288CFF175A27A7843FEC7CAF326A2B1234DDB45CBE15231EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:37.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEA0193E42618C453F74AD5AD2246A5,SHA256=A08874D8E1341545B9CF0E5E6C27B752D7FF0FD630DFCA2E27A311910AB7B820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:37.791{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0808B58D6034B32ED00BA71695DABB8,SHA256=E4F8A34EE2F3F00C3A6F98D269D23AD7FB6E9F1FFDFE9D2DEE2B9A806AA19658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:37.057{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E113E6AD3D669CCD6E0DEF5F2E377265,SHA256=830390485981E7D67B83F2BD91FD61C33A3C0DD6DB7997B96B927BEADBB0181F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:38.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A7BD0CBE761195EFC4457F04989F2E,SHA256=EAF839F046CDF89662DCBF9D4A1A542B8ABC5A5A699227F3FCDB63970F6AB756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:38.838{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060229EC56BF0EF4DE017E00AB697FC8,SHA256=C7735815BF2FCAC311A682F8B85C715174B7F5F5FB00CC945DA403386E8A198E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:38.198{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4151682E9973885DB95AC2345DEE58B,SHA256=6DD4F2A47B0DEE9A43756FA66D6604AA374BA78664F826AA096117B4D67982AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:39.885{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEBB5FB733767B9072BCDB26ABDBB52,SHA256=0085F9A5BB6F0E3BEA2A2EB7728B5BCBD73BA6958AA56C3EC9ACB32E7A093920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:39.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D758E1595DD7AC690D088C6EF831D9,SHA256=BB51B237C7D915E363F081C1587C0EF0BD9DA237189E462D14869BD20E410DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:39.479{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7299A5DE70C0AC5820B8C4D949A00BB7,SHA256=4D010E8B156CD4D0A9C94769051BFBF95D46ED19C946CB8E5BADEA90A4F8809A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:40.901{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBDA21F852B3B1215931155096D101D,SHA256=27BC01968510765B5FC4E217DF2799DC2375EBFEFB11622F8FF72DD38B078E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:40.819{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7672325DDAA9D6113F5BF447B608CE,SHA256=2D278E425F70AD8BF50CA8D891CC54A73EEDAF7B30E73EB9A1011DA2A9B02783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:40.698{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DC07A544B8CE3D1A0AA43E7F97EFCC,SHA256=FDFB6C9FF10A0274E618533B63B6F8643964984BFBC8CEA843F2BCCCD976B826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:41.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB672BB3393280ABA72D3CDBC26C335,SHA256=34D9749798FA0774B616481CDC8F9A82B594837DFAE5DCD8AADB40392524F47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:41.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DFC75ED73810F171A749E2E70B25A5,SHA256=31A56B3B67AE9B2EAF3D4703BF9B930734EE8B066A616101D439DF76C2B28C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:41.791{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BA447C1BA874467E0827312FA356744,SHA256=47AB98EF779CB893DF218794E1CF33748F2672C7C5D85CE663544065C03A6972,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:39.036{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:41.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D5AC9849DDAF17C1534E522CDE96DD,SHA256=C6F8A67F93C6157F83E2E2005F7918FD2C999703ED88B6E8B0260C4A5D0FD75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:41.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7606A73C978EF8582F087A46573F0776,SHA256=7A112B3BAA81F7DCEE70FC5D0A5D9956D10109D903162D39E7AF07F8FBEDBAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:42.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773805C13D89B91C84CC58AC174A9FB3,SHA256=BEA3A9163E96AF173621563741E17EE770E6D69008226A3AF427D06E5C196EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:42.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6871623741F7FDDF900D24AC0ED31DA1,SHA256=9B09EF1A0BF59AB9D671C483CBA1C5FA638A666BC945E53A5672615A823C4C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:42.826{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D07EB3FA468E14F6D33D4D6EDA4BC67A,SHA256=726D07C0F5789EAFA44382879B3EBBEB4A17A503AF374D00BAB66DBAD53AB57C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:37.521{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65027-false10.0.1.12-8000- 23542300x8000000000000000683300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:43.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240AFF09DD0A600B843E32325D284F19,SHA256=B760551E17A8AEAA9F8B31307A56C59CCF8623209752ABDAEC418E0BD62AFBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:43.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA5A4DEE2F141916C0A84AF8F464617,SHA256=757B4C4A0B31D7ACC2A71D33F2FC1523EF7E27C1D2389798690130191F0F4820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:44.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E20D06AE194747E2D5337801C4A6D01,SHA256=5A1A29D8EA993DD0DAD5601DFCB9211C99512737FEB12823B58E12E9AA781578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:44.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755CF6437D44B1050ACF5BC7617A4135,SHA256=CFAAA8AAC0F5532FEFC58B3D53FCB9FA41560669099A5B5759E17EDB70B1E772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:44.311{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B86F760ED0C44EB18920548D8516877,SHA256=81D23A486C5F03E503075B6D5D536D72BAB8F81C697EB59A435A0C3764506531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:45.870{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C594F017C80440E1CD27F35E56668F1E,SHA256=32F7FA15A1160D28D2C4045819530A8561F9104EB1F3B827CF1FD16B7F389B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:45.983{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CACB05287A0CA4AC072B8E6B237D24,SHA256=E79553954FE90C0A1A0F379D4F3CB8E5E18CC1764C9194858ABB09B0E22A91FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:45.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01EA127E7B50548F06B694CC423FBFF,SHA256=F82AFF032398D59824E813A26031C54DD30A99C3649023FF4F716AE821366831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:46.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F64E63FA8FB897E49D5452FDA8FC1D9,SHA256=4BF3A6003F72DF0B217CDF7587EFCA6C9E3CA1B57C7E937FF2A71694E109B380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:46.733{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=200D21C53127E88F6CF00F3018D19254,SHA256=01E37D13F152D9BD57C8E5AAA63254694158B22DED4DAB12A44655ECF79E3D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E85CFA9ABC6B53D0AF72C913170EA53,SHA256=70AF9A249C40B6E03D9A3C909FB748D7747721E7A1A4575BA4F5284B2B213608,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.840{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000623299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:45.041{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51577-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E6DDFF2657BDBC13114C8B624419A2,SHA256=69B166F17BEE992A90ACB0939EC3F441290799BE01760B9F782B26345A95E086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D5AC9849DDAF17C1534E522CDE96DD,SHA256=C6F8A67F93C6157F83E2E2005F7918FD2C999703ED88B6E8B0260C4A5D0FD75F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:42.556{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65028-false10.0.1.12-8000- 23542300x8000000000000000683306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:47.170{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF72147627A0CEECCB5699B1991D0B4,SHA256=8DEE51C294D5263D5D236E5E89AF9E1132ABAC6767336F4652FD8761CFA97533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE355A429FC438D66D5050857BA2A19,SHA256=29A8D4DCEA19F5B924374FC4B98D32CDB93B510E3E6A9A2EFCCA23CE37D82E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E6DDFF2657BDBC13114C8B624419A2,SHA256=69B166F17BEE992A90ACB0939EC3F441290799BE01760B9F782B26345A95E086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:48.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A372C10FE62016B2E16FBC97ADC0FA2F,SHA256=A334292EAF4FA00FB797BD12EF8FC7DAEE7127B51052AE30CBDC359B1914D241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.526{97C2ED32-00AC-60B9-FC5C-00000000C501}52122488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.403{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:48.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69B64F50E655E70AEC9707B68BCDB7E8,SHA256=CF167BA4DCED760F9CEAA1EA0BD18CA786DB78E6E5A87BCB16EB2467EC8BEA46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.901{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5B7DD06391772368F4BA4DF20BB9E1,SHA256=5E8B1637EFAE6A280186DC82D2BDF8AA2ED79492FE6B6DDDA5B40F2BA3AA0EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:49.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1EDC52FFB27A520D6DAA64E6A1F4D7E,SHA256=FC4DC63AF72D10E78DEDEB4D3203C1FD2F00F35A8537CD1D7DF5C5D3FBF76104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:49.264{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CC6D97645457347706FB25642FAE3A,SHA256=391EA469F1FF51F6E3732EF223F5441105B4430523BC9B4BE9546642A7F77608,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-FEB9-60B8-B85C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-FEB9-60B8-B85C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-FEB9-60B8-B85C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.699{97C2ED32-00AD-60B9-FE5C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000623327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.028{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.917{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94579E6B1F9D78D98F3D30E8FE87950E,SHA256=C48E06773AE8F86DF096DFB57A0E1A5111C9F7F9016B0144E5C3255364F6ABED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:50.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA5ACF40965BB17A3ECCA446BD9D6BF5,SHA256=DC322905E98F5B0A95141E7CEA8BAB11944CA99069901696A0FD10E491B19FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:50.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EEE75CE47EDAC95EA4E2C34B18CC4F,SHA256=D41BA7118DE48F0B22882E990B37355BA0834E19EB12407C54E930AA7EADF3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.902{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000623346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.495{97C2ED32-00AE-60B9-FF5C-00000000C501}31562964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.371{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.042{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0FC5AED0DDB8070CE9A0CEA41E1D8C3,SHA256=6DE88D10EAC2B3F60DD05B53B5030148DD083FC1AA2F7E389491FE433B3BA028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D703FAA07F8AB2CDED9604279841E31,SHA256=8928197F731FA6A64462D204C63D69BF91DD871DBBF90F4EAF60D234C519E96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:51.639{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C19A0314208618B63772078D510E0F,SHA256=50714A67240DC7007B833DFF3CF17E12E3A7F61426C794CF13B01BA8C3E0AFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:51.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB29E39D26B0C0B82B8AFD121FB90D6,SHA256=02A57F2DED5471F68C923F909F71AFA6245F3F1D8BACAA2E4DE473882908B4CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.573{97C2ED32-00AF-60B9-015D-00000000C501}32282760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.434{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.417{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=938A1A3069C311604B32000BAC2F7959,SHA256=A8DCCFEB75CC73D79C49BFCBEE2262414D28426A9B06B39F65357C9AA5475D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.026{97C2ED32-00AE-60B9-005D-00000000C501}53283848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000623370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:52.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A775F259B84C957339364C44A31B14,SHA256=DE314D6A90226B0848EBD4506A8BB200D7481227DD9F22DE90C81352B0E3E455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:52.811{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B53FE9967E889297FBCE27885535E372,SHA256=213B11B43B891DC8CC34B3B3D87C9F5D41F02A0F047C05051DB1DC476A913411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:48.478{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65029-false10.0.1.12-8000- 23542300x8000000000000000683316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:52.373{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C5B3B50257CBED7ED993F86CFB4848,SHA256=5FE347652F1FF487CC4778DDEBB0BFC29DAF7356DB5DBEBF8F3B138CED9D8D0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.057{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51578-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:52.652{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFB993D2E73A21FBA2A3F3C30027C8E0,SHA256=9B5079A942609B3E05B749F977EE42BC52675EC2889A6E1FF99F73EB90090491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:53.980{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD999DEAFCC21611B6303992E759D90F,SHA256=3FE5E7AA20018C26685344F28B49207318A422A15F12B98A6EA45F4F0E349EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:53.405{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0273B1C3E72C439399481C3871CE65B,SHA256=C33484285C92FBEBF7FCF3497BBA273DF083946211D0C8DC51E570755C2A7A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:54.980{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60049A14902BEBC531389059345792F,SHA256=BC1EB1F78AADE8E6C0CEF1939528B3E419A4A52681B3EC5C1E1CB06534C1D3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:54.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B67879A1F5A2AEB57776F2F7E7C76E,SHA256=3450E4E623D3F212F551F57F7C17696785AAC40676640A195F600CB6335A1811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:54.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB1B17D6EA49B154F7D06B1ECC684CBE,SHA256=C6C435BAA747CFF714E39473395AB7B93225CFC82856C727A93EA6C73DD9659D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.483{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B5E97107DDB4D5081043C9233EE2F7,SHA256=8A69D4C49B423A14382798FEC393C5851D0D7E78DC53F75275BE22806308B1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B61863FFBCEAB6DDE148EE91B247B57,SHA256=2B2047E79F327ABDAB41F19AA08E3F5763E1E7622F23D00A0BD33BBAC9417B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:56.842{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4707C6F63FBAB58770493729EBEB990,SHA256=A29DC6095C123EF4FDE792C853CECC3419D6CEBE4577EB2F5167AA4C143FE77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:56.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B27C6D2C8B49BB466A08561260F2C4,SHA256=5E691A4250D308A600CB3D6121C9A93133B8AEDB312565A9ECB85092515E3C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:56.011{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2565EE86C1CF2173AE103851228D4AFE,SHA256=25B5539A97512276E98F7E7C2AC38BF4501898E7540EB51561F319309EB59A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:57.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4FD2C4C7A9A120BD2DD93BE2B4F5F27,SHA256=0F5C7DB32B1CD68B4BBB32B5C2F6FEE42C19E0226708E4AC3DE49E8BEBD90370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:57.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D1146D3F70F881624190A0FA7D8F48,SHA256=74586265F6573FA4FC86BF93872A0B6BB20A331CFBE55903D84F82C4264089B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:57.012{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CC1D52E4E5D081BDBAC1D8BB4F2656,SHA256=CA0867D48C0F85FEFD5489DC604C2CAEF6145D54EE9AD7AFD70CD300DE7A81E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:54.478{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65030-false10.0.1.12-8000- 23542300x8000000000000000683328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:58.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A823475041F35478F2846E628BF97D8,SHA256=28A07EE186E7E396AD981D3B2A3CBB4A7E2606AC7013BE07DF220B6E6741B8C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:56.000{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51579-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:58.150{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA25ADAA2BF201C332493F1D65D4DE4C,SHA256=A41E6A9FD9E85716D7162E73CB0ED7B60B6E708E63CC68FFE9B5CE4F75CDE1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:58.150{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48B505BCD758BBAC745D923AFA130A33,SHA256=F36A21D4EE51F6C9E7E6062FD9866E190F49D70FACF0BB391C934C55C34C0375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:58.025{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBED50714E180AB4DC9C0E535276E61,SHA256=5A6A4A341F3AF3F8A66F88F48609004E37B2046EC8D428291500B64E6B61B44B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.667{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65031-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000683332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.667{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65031-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000683331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:59.545{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC32218ABB542355765208ACFE901651,SHA256=6857E1D4028165F9DEA0EE6ABE5C93F571254418EA2FD375ECACEB5E9B9FD6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:59.059{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6330D00A0A78917F39BA32C50CBCF8A0,SHA256=F428A780A436AB3E33DCB2C02F5F30ECB33D3430C53EB299BD8935483BF70B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:59.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7818479271C9555D8D31C1E56D90180,SHA256=4F99CCB1B2C685CDAD81ADBE8C4421C0AC8E31BFC73D5618C621B14F938841DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:00.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9D01F76F527911EA46B455D69BA91D,SHA256=E4C1FE9F5C3FB5DE81312462ECF34546FD57114A538155CEF9F47D0CFA87AC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:00.544{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:00.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED02AD71C005938A12992B24B2770D7,SHA256=BAA20879E2E25CD9376E28A5936216347F5EB7380374B290A1F52B31E565912B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:00.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F767F30E79979B02E095D3FB276CC6,SHA256=BC1BC38925B21BD0D9B0E45FED6F7DA7CF71AB3DD430793374A5C8BE78378B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:01.575{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B31AA0AED30AAA13D0E2649E8081535,SHA256=0AAE17969C40CBEAFD064A6FA70FA60E47DC5991660A072FAF4826A9C87529FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:01.575{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA25ADAA2BF201C332493F1D65D4DE4C,SHA256=A41E6A9FD9E85716D7162E73CB0ED7B60B6E708E63CC68FFE9B5CE4F75CDE1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:01.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC54A040A482361AC4E97748AFADB63A,SHA256=88374C0E08248925A3A8E28118369FC2D8F113804D3390985F3D9CA5DCC86281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:02.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059C388786CB4447E7D71AB6C2D98915,SHA256=6D4434677F6E01A73B9AB5823B0827D7F33063466B09C9EFE6AA1EEC6ADEFF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:59.387{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51580-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000623385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:02.828{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECB13A6FD62AFD9DBA0DA25FE6B2B8D6,SHA256=81EFF2597A4E99B6F7B0B90A4014B672825D104B0AEFD00D4849E98EEFCEACDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:02.078{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3B35D3011AFEC5B5108D3AB1C426D5,SHA256=3B91DA63405C3BD06CAAD315592F1DA9A7F87CD0DB32779AAE74C03F18534EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:01.987{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4712727E5D098987AA5A1791B924569,SHA256=071FD94742308C97D704560F071A0FE34DDB252B738B04787508F0FBEE9E1FEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:59.514{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65032-false10.0.1.12-8000- 23542300x8000000000000000683341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.612{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A17ED85DB4267B8949F388ADF9F197E,SHA256=FC419FA7278B7FD48073E998179A7FE99071A5B1985DBA988DFADB4FDD5393D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:03.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B476C6D818E31C4C9D59F76045F92B3,SHA256=ACF5CB441B6C56317687D3B12FEEE5486E00592B1A375F616E54FAF084E399F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:03.078{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D630E58150F9A315776934A9711FE7B,SHA256=F9DB89F548537C832C96C4B9466553D1B65EE95350C6CC406F429BD453660FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A4DA55784C7ABC0C13B83B69E6A2418,SHA256=F68644411DEF14F597DBFC35E7BDC86A058A5BDFACE9194386B5E8758BD2518E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:01.013{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65033-false10.0.1.12-8089- 23542300x8000000000000000683344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:04.675{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644D2EF0B944BA713DCD21CB6F81044F,SHA256=0B1804BA5E5EB9995B47FF77C45073E09FFE0F899792FBEAEFCB373EC709A8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:04.094{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5B1E60E56C35E980779FC5011AF020,SHA256=10F01CF88DFABA87835D1DC9226DD0A95199F48CE06B83F1AED519E0D520D26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:04.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4608B10582C2537E3DB998E8A3994E97,SHA256=0CF604308B6B0BFACAA3BD6B94FE6589CAB0B8920445515BADC42D1977F547EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:01.002{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51581-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000683347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:05.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5DBE19C23E521E89A5B4EB65483EFE,SHA256=5F42771CE8BE68FDA4E41C37CAA9906CD8D5F14A0B33E5A23411405127AA6E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:05.094{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44C4A048786759BFEC39022FA7F3853,SHA256=74473DF513AFA4ABCFE9131267DD6FEEA786DC62C622ABF98226B6552E2A3E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:05.644{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F99538DDD04D438E2DF682A0EC0312,SHA256=2024D51C5CDE71F8D380DB6E5E88421E7ABB3E0B4D6557F9E27A8D5A6A82EC2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.139{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65034-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000683350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.139{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65034-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000683349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:06.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=894188C9CC3F4DF31F9DB3871AC7D65D,SHA256=A65258453D61C956C91C8FBC39E6FCBE7F24714C90F9C9CEFC3A3FFF1F051F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:06.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1DA4951A18F3A77CEA464CDC2DBAA5,SHA256=84FB688DF1611F35B367972B6E8AC2293A7F9348489F17121AE8E144B9D064A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:06.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A2F621EFC59A98CF0E8F18D4F70032,SHA256=12E283E247B019DCE8FA7EC521C88178E67EA17F3E647326265B3A359539EE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:07.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893D74BFB3DA39D6D8DCAC5FD26FA704,SHA256=0272E7BAFE2880CE01E60C9D7C4D4D4140D36B3E9D595C25C2CEEEF177CBE95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:07.753{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF034B10D6C8B156AD4118BBBFB94EDF,SHA256=31A201FAFD0ACFFB34B819FC1FBC4D267B08E589A70F41A62A58FFC04589F526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:07.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58139DD2C110D92AD45876E0E5CED62A,SHA256=5C120F035692A45EBA3F599972A692B1AF0CA4FC4D6FA28912BB519BAAE5DF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:08.800{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1DE7B2C7F72D888079501DBDD1363F,SHA256=73EF0072D1BB34184B12059C4AAF483EB7EE3DEC47DD9FCE9B972C44295501D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:08.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542BAC6481D25E35D753525F7E4F0CCE,SHA256=050E4226904ECC1F54E3310EC7A8082D5898F01AA9FCA489E2BF9F196ADB274D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:09.815{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F4171ACC17D6AC38F5639150525C77,SHA256=11159CB70ABFD16B692C89BAB4C9281A68D20B4EA1B93772E525E80583E27133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:06.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51582-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:09.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F0A381162B48D6E2FF1EEB9093DC47,SHA256=AACA9F06C9AEAB5B5E47D27E10EA731AA962440AD19540141FA4380180B7B871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:09.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092F0DB344C90D97A124B9969ACC806B,SHA256=83E9FABA803591D7E53C142B8CB3722F89689A2D2BD1798411917A8CD12D3130,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:04.576{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65035-false10.0.1.12-8000- 23542300x8000000000000000623396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:09.031{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0812486DC3F1D9942982B893BFEFDD39,SHA256=E5ADCF127389F36CCB444F90025223D07E1C5349B5B34A85D65CD2A2A68C410C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:09.031{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7971EB21208D8E1E9AF5EB74905C9B68,SHA256=F0E9F249EAD77D47BDBEB18B6AB0EF4ACAC9E05FBE41ED3DCFD992AD738DAEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB577A7440B142B75D2B6A7FFAC615E,SHA256=FD85F13F2D0FCD93BF8AF098F44182A29127BD913DB2B6724E4D4658750779A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:10.156{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF6FAFA5880DAD3C71396A6B81BBD77,SHA256=D9FB7233AB2AFAD9CAEA003AB65140C29C0B6D2FAFADBCD54E6AE6459502ED82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.800{D419E45B-7530-60B6-1600-00000000C401}12684140C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.800{D419E45B-7530-60B6-1600-00000000C401}12684140C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.800{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000683358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=753D994C50A5DBE12A263708A361122C,SHA256=065D41AB8DC608D78E56F28AE60844BB5F3AB55E0609C03B4F32A3E85F52FE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:11.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED506853F6A08C6345167622A1F72EB,SHA256=DF193B38D822B322109D1BCD989744768D724C45AADE97E4BD8F505DC46196D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:11.172{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F739319FE6EFE0E41E91BB4C9A0717EF,SHA256=4F35157D81B9A1BCC4E049FB9B758ECEC6A5CEFB86CE57F0B7844C5B0A227C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:11.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49D58272B20226F848A5B9E8924AE337,SHA256=9AED6F53FCAE68ACD8630DBAF863EABD2432FA2541BAE434BF05544DE642FBA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:12.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F79F85407CB9E78497DE60471AA4829,SHA256=C432E74D75F55790E6037461B8CCA6E8DD6ED96F41EA1EED4D85E44C322A0506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:12.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36A321E9E8757C4A4B7C5FCBAC2417C,SHA256=A3C6BE20BDD0218994F48CDB7A6359E18A8E6445F56CEDCA4B4062510E74B37F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:08.218{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65036-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000623402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:13.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC0A99B6B61416BF6D9F7E1421949D6,SHA256=2EB1A464BAA04B0A37CCC059F7F8555A2950DF8A415BBF6DD7219EF1A7B99655,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.878{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.863{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B4D3AEA63BFB00BECF129932923731,SHA256=B48D39B9D1A55E65A52237FF7AF0B9A997699076933EFA471B91494D9C353699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.176{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000683367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:08.218{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65036-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000623405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:14.203{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B63FE8C23F7D9860C7764E2A5BCF91D,SHA256=72829221007FC51C1D5995818CE7D332DD62EE2BC0C3AF07CA6EB6B6C73E582A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:14.203{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4472CC514DD28A644F5D3C23C74B84CF,SHA256=A4FA56587A1CB20C97C6B79E827C6F758EC49624FDF362CAB5C3D116E241C36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:14.203{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0812486DC3F1D9942982B893BFEFDD39,SHA256=E5ADCF127389F36CCB444F90025223D07E1C5349B5B34A85D65CD2A2A68C410C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.862{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.862{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.863{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8346F1608705B2495115664B6CF012A,SHA256=E6338E4162AA9D5A84D3491BFC4BA515BBFB3B5A101BB5DCC7BED0AE3C6734C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D534EDA9222BFD75AA15F13CA66ADD1,SHA256=2594695E342561FC1C714CB9AB4F693D80A97EC16C8861AE6F6F488636C3CA4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.378{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.363{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.097{D419E45B-00C5-60B9-9452-00000000C401}19566164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.722{D419E45B-00C7-60B9-9752-00000000C401}69565452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.565{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F38726ECF7E9265C464E3A9D54F498DE,SHA256=CC30BCA3365488586D3C10AA63737709A6CB48F7E3C0506F0B1A7343B427DE80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.565{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.551{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000683435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.451{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65037-false10.0.1.12-8000- 23542300x8000000000000000683434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94D0BB66B096832B2A28B620B3FE223,SHA256=655B550F21B5A7DFB1F7B63C543FE8B380F14B986D83DD9914204C3AAFEC8CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:15.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B5B1C54D85B56E5E385E1B73C2FB8A,SHA256=D3E53C372B37CAB184D75EABF912CA1ADF73CE58DE15EC0E6ED86747ABDAB92B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.081{D419E45B-00C6-60B9-9652-00000000C401}4392296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.722{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.725{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F8512620728D7E41588FD83D63EB5A8,SHA256=137F1256C3A6361BE158D416C44FD2C1F8C35A6AB2C03622DE5F1AC125B73B94,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000683465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000683464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f15c8c) 13241300x8000000000000000683463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588b-0xad30b886) 13241300x8000000000000000683462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0x0ef52086) 13241300x8000000000000000683461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589c-0x70b98886) 13241300x8000000000000000683460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000683459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f15c8c) 13241300x8000000000000000683458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588b-0xad30b886) 13241300x8000000000000000683457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0x0ef52086) 13241300x8000000000000000